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Glossary 



Quantum Circuit Model: One of the standard and most commonly used models 
of quantum computation which generalizes the classical model of acyclic circuits 
and closely models most of the proposed physical implementations of quantum 
computers. When studying algorithms for a problem with an infinite number of 
possible inputs, one usually restricts attention to uniform families of circuits, which 
are families of circuits in which the circuit for inputs of size n can be generated 
efficiently as a function of n. For example, one might require that there is a classical 
Turing machine that can generate the nth circuit in time polynomial in n. 

Black Box Model: A model of computation where the input to the problem 
includes a "black-box" that can be applied (equivalently, an "oracle" that can 
be "queried"). This is the only way to extract information from the black-box. 
For example, the black-box could accept inputs j G {0, 1}™ and output a value 
Xj G {0, 1}. In this particular case, we can think of the black-box as a means 
for querying the bits of the string X = XiX 2 X 3 . . .X 2 n. In the black-box model, 
one usually measures complexity in terms of the number of applications of the 
black-box. 

Computational Complexity: When referring to an algorithm, the compu- 
tational complexity (often just called the complexity) is a measure of the resources 
used by the algorithm (which we can also refer to as the cost of the algorithm) 
usually measured as a function of the size of the input to the algorithm. The 
complexity for input size n is taken to be the cost of the algorithm on a worst-case 
input to the problem of size n. This is also referred to as worst-case complex- 
ity. When referring to a problem, the computational complexity is the minimum 
amount of resources required by any algorithm to solve the problem. See [176] for 
an overview. 

Query Complexity: When referring to a black-box algorithm, the query 
complexity is the number of applications of the black-box or oracle used by the 
algorithm. When referring to a black-box problem, the query complexity is the 
minimum number of applications of the black-box required by any algorithm to 
solve the problem. 

1 Definition of the Subject and Its Importance 

The Strong Church- Turing thesis states that a probabilistic Turing machine can 
efficiently simulate any realistic model of computation. By "efficiently", we mean 
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that there is a polynomial p such that the amount of resources used by the Turing 
machine simulation is not more than p(M) where M is the amount of resources 
used by the given realistic model of computation. 

Since a computer is a physical device, any reasonable model of computation 
must be cast in a realistic physical framework, hence the condition that the model 
be "realistic" is very natural. The probabilistic Turing machine is implicitly cast 
in a classical framework for physics, and it appears to hold as long as the compet- 
ing model of computation is also cast in a classical framework. However, roughly 
a century ago, a new framework for physics was developed, quantum mechanics. 
The impact of this new framework on the theory of computation was not take very 
seriously until the early 1970's by Stephen Wiesner [178] for cryptographic pur- 
poses (and later by Bennett and Brassard [26]). Benioff [23] proposed using quan- 
tum devices in order to implement reversible computation. Feynman [81] noted 
that a classical computer seems incapable of efficiently simulating the dynamics of 
rather simple quantum mechanical systems, and proposed that a "quantum" com- 
puter, with components evolving according to quantum mechanical rules, should 
be able to perform such simulations efficiently (see section 6). Manin made simi- 
lar observation independently [135]. Deutsch [66] worked on proving the original 
Church- Turing thesis (which was only concerned about effective computability, 
and not efficient computability) in a quantum mechanical framework, and defined 
two models of quantum computation; he also gave the first quantum algorithm. 
One of Deutsch's ideas is that quantum computers could take advantage of the 
computational power present in many "parallel universes" and thus outperform 
conventional classical algorithms. While thinking of parallel universes is sometimes 
a convenient way for researchers to invent quantum algorithms, the algorithms and 
their successful implementation are independent of any particular interpretation 
of standard quantum mechanics. 

Quantum algorithms are algorithms that run on any realistic model of quantum 
computation. The most commonly used model of quantum computation is the 
circuit model (more strictly, the model of uniform families of acyclic quantum 
circuits), and the quantum Strong Church-Turing thesis states that the quantum 
circuit model can efficiently simulate any realistic model of computation. Several 
other models of quantum computation have been developed, and indeed they can 
be efficiently simulated by quantum circuits. Quantum circuits closely resemble 
most of the currently pursued approaches for attempting to construct scalable 
quantum computers. 

The study of quantum algorithms is very important for several reasons. Com- 
putationally secure cryptography is widely used in society today, and relies on the 
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believed difficulty of a small number of computational problems. Quantum com- 
putation appears to redefine what is a tractable or intractable problem, and one 
of the first breakthroughs in the development of quantum algorithms was Shor's 
discovery of efficient algorithms [165] for factoring and finding discrete logarithms. 
The difficulty of factoring and finding discrete logarithms was (and still is!) at the 
core of currently-used public-key cryptography, and his results showed that if and 
when a quantum computer is built, then any messages that had been previously 
encrypted using our current public-key cryptographic tools could be compromised 
by anyone who had recorded the ciphertext and public keys. Furthermore the vast 
public-key infrastructure currently in place would be compromised with no clear 
alternative to replace it; also, any alternative will take many years to deploy. There 
was a sudden rush to answer two fundamental questions. Firstly, can we actually 
build a sufficiently large quantum computer? Perhaps this isn't a reasonable model 
of computation. Subsequent work on quantum fault-tolerant error correction in- 
dicates that the answer is "yes", and experimental progress has steadily grown. 
Secondly, what other interesting and important problems can quantum comput- 
ers solve more efficiently than the best known classical algorithms? The following 
sections survey the state of the art on the second question. 

As we gain confidence about which problems are still hard in a quantum me- 
chanical framework, we can start to rebuild confidence in a secure public-key cryp- 
tographic infrastructure that is robust in the presence of quantum technologies. 
Although the cryptographic implications are dramatic and of immediate relevance, 
in the longer term, the most important significance of quantum algorithms will be 
for a wider range of applications, where important problems cannot be solved be- 
cause there are no known (or possible) efficient classical algorithms, but there are 
efficient quantum mechanical solutions. At present, we know of applications such 
as searching and optimizing (section 5) and simulating physical systems (see sec- 
tion 6), but the full implications are still unknown and very hard to predict. The 
next few sections give an overview of the current state of quantum algorithmics. 

2 Introduction and Overview 

There are several natural models of quantum computation. The most common 
one is a generalization of the classical circuit model. A detailed description of the 
circuit model of quantum computation can be found in several textbooks [148, 
128, 121]. One can also define continuous models of computation, where one 
specifies the Hamiltonian H(t) of the system at time t, where H(t) is a "reasonable" 
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Hamiltonian (e.g. a sum Hamiltonians involving a constant number of nearby 
subsystems), and one evolves the system for a period of time T. A reasonable 
measure of the total cost might be f t=Q \ \H(t)\\dt. 

Most algorithmic work in quantum computing has been developed in discrete 
models of computation, that is, with a discrete state space and with discrete time 
steps. In sections 8.1 and 9, we discuss algorithms developed in a continuous-time 
model of computation. Even if, as in the case of classical computers, implemen- 
tations of scalable fault-tolerant quantum computers have discrete time steps and 
state spaces, these algorithms are still very useful since there are efficient simu- 
lations using any universal discrete model of computation. Note that if no such 
efficient simulation exists, then either the continuous model of computation in 
question is physically unrealistic, or the quantum Strong Church- Turing thesis is 
incorrect. 

Discrete state spaces can be used to approximate continuous state spaces in or- 
der to solve problems normally posed with continuous state spaces. One must 
choose appropriate discretizations, analyzing errors in the approximation, and 
quantify the scaling of the algorithm as the overall approximation error gets arbi- 
trarily small. Quantum algorithms for such continuous problems are surveyed in 
[149]. 

Many of the key ideas that led to the development of quantum computation 
emerged from earlier work on reversible computation [24]. Many facts from the 
theory of reversible computing are fundamental tools in the development of quan- 
tum algorithms. For example, suppose we have a classical algorithm for computing 
a function / : {0, 1}™ — > {0, l} m (we use binary encoding for convenience). The 
details of the computing model are not so important, as long as it's a realistic 
model. For concreteness, suppose we have a reasonable encoding of a circuit of 
size C, using gates from a finite set, that takes x e {0, l} n as input and outputs 
y G {0, l} m (discarding any additional information it might have computed). Then 
this circuit can be efficiently converted into a circuit, composed only of reversible 
gates, that maps | x) | y) | 0) i— > | x) | y © /(x)) | 0), where © denotes the bitwise 
XOR (addition modulo 2), and the third register of 0s is ancilla workspace that 
is reset to all 0s by reversible operations. This new circuit uses 0(C) reversible 
gates from a finite set, so the overhead is modest. A basic introduction to this 
and other important facts about reversible computing can be find in most stan- 
dard textbooks on quantum computing. For example, in section 5 on quantum 
searching, we use the fact that we can convert any classical heuristic algorithm 
that successfully guesses a solution with probability p into a reversible quantum 
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algorithm that guesses a solution with probability amplitude v /p. 

Most of the known quantum algorithms can be phrased as black-box algorithms 
solving black-box problems. A black-box, or oracle, is subroutine or subcircuit 
that implements some operation or function. It does so in a way that provides 
no other information other than simply taking an input and giving the prescribed 
output. One cannot, for example, look at the inner workings of the circuit or 
device implementing the black-box to extract additional information. For example, 
Shor's factoring algorithm can be viewed as an algorithm that finds the order of 
an element in a black-box group (that is, a group for which the group operations 
are computed by a black-box), or the period of a black-box function, where the 
black-box is substituted with a subcircuit that implements exponentiation modulo 
N. The quantum search algorithm is described as a black-box algorithm, but it is 
straightforward to substitute in a subcircuit that checks if a given input is a valid 
certificate for some problem in NP. 

If we take a black-box algorithm that uses T applications of the black-box and 
A other computational steps, and replace each black-box with a subcircuit that 
uses B elementary gates, then we get an algorithm that uses TB + A gates. Thus 
if T and A are both polynomial in size, then an efficient black-box algorithm yields 
an efficient algorithm whenever we replace the black-box with a polynomial time 
computable function. 

Many lower bounds have been found in the black-box model. The query com- 
plexity of a black-box problem is the number of applications of the black-box (or 
queries to the oracle) that a black-box algorithm must make in order to solve the 
problem. If we try to solve a problem that has query complexity T, where the 
black-box is implemented by some subcircuit, then we can conclude that any algo- 
rithm that treats the subcircuit as a black-box must apply the subcircuit a total 
of T times and thus use fi(T) gates (we use the fact that any implementation of 
the black-box uses at least 1 gate; if we had a lower bound on the complexity of 
implementing the black-box, then we could derive a better lower bound in this 
case). However, this does not imply that an VL(T) lower bound applies to any 
algorithm that uses the subcircuit, since it might exploit the information within 
the subcircuit in a way other than just applying the subcircuit. A discussion of 
the black-box model and its practical relevance can be found in [53, 121, 173]. 

In the literature, one can often seen a progression from studying basic algo- 
rithmic primitives (such as the convergence properties of a generic quantum walk), 
to the application to solve a black-box problem (such as element distinctness), 
to solving some concrete computational problem (like factoring an integer) that 
doesn't involve a black-box. 
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This survey will include both black-box and non-black-box results. It is infea- 
sible to detail all the known quantum algorithms, so a representative sample is 
given in this article. For a subset of this sample, there is an explicit definition of 
the problem, a discussion of what the best known quantum algorithm can do, and 
a comparison to what can be achieved with classical algorithms. For black-box 
problems, we attempt to give the number of queries and the number of non-query 
operations used by the algorithm, as well as the best-known lower bounds on the 
query complexity. In some cases, all of this information is not readily available in 
the literature, so there will be some gaps. 

As a small technical note, when we refer to a real number r as an input or 
output to a problem, we are referring to a finite description of a real number from 
which, for any integer n, one can efficiently compute (in time polynomial in n) an 
approximation of r with error at most 1/2™. 

In this article, we start with a brief sketch of the very early quantum algorithms, 
and then in the subsequent sections the algorithms are grouped according to the 
kind of problems they solve, or the techniques or algorithmic paradigms used. 

Section 3 summarizes the early quantum algorithms. Section 4 describes the 
Abelian Hidden Subgroup algorithms, including Shor's factoring and discrete log- 
arithm algorithms. Section 5 describes quantum searching and amplitude amplifi- 
cation and some of the main applications. Section 6 describes quantum algorithms 
for simulating quantum mechanical systems, which are another important class of 
algorithms that appear to offer an exponential speed-up over classical algorithms. 
Section 7 describes several non-trivial generalizations of the Abelian Hidden Sub- 
group Problem, and related techniques. Section 8 describes the quantum walk 
paradigm for quantum algorithms and summarizes some of the most interesting 
results and applications. Section 9 describes the paradigm of adiabatic algorithms. 
Section 10 describes a family of "topological" algorithms. Section 11 describes al- 
gorithms for quantum tasks which cannot be done by a classical computer. In 
section 12 we conclude with a discussion. 

3 Early Quantum Algorithms 

The first explicitly defined quantum algorithm was the one described by David 
Deutsch in his landmark paper [66] where he defined the model of quantum com- 
putation, including a circuit and Turing machine model. 

The problem was to decide if a given function / : {0, 1} i— > {0, 1} is constant 
or "balanced" (the function / is balanced if there are an equal number of and 1 
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outputs). In other words, output /(0) © /(l), where © denotes addition modulo 
2. One is given a circuit that implements | x) | 0) h- > | x) | f(x)). Deutsch showed 
that using one application of the circuit, we can compute 

^10) |/(o )) + ^ U) |/(i)>. 

If /(0) = /(l), then the first qubit is in the state | 0) + ^ | 1) and thus applying 
a Hadamard transformation to the first qubit will output | 0) with certainty. How- 
ever, if /(0) 7^ /(l), then applying a Hadamard gate and measuring will output 
| 0) with probability | and | 1) with probability \. Thus if we obtain 1 1), we are 
certain that the function is balanced, and thus we would output "balanced" in 
this case. If we obtain | 0) , we cannot be certain; however, by guessing "constant" 
with probability | in this case, we get an algorithm that guesses correctly with 
probability |. This is not possible with a classical algorithm that only evaluates / 
once. 

If one knows, for example, that the unitary transformation also maps 
| x) | 1) i— > | x) | 1 © f(x)), then one can solve this problem with certainty with 
only one query [55]. A common tool that is used in this and many other 
quantum algorithms, is to note that if one applies such an implementation 

of / on the input | x) | 0) — | l)j , then the output can be written as 

(-iyW\x) (75IO) This technique can be used to replace the 2- 
step process of first mapping | x) | 0) 1— > \x)\f(x)), then applying a Z gate 
I x ) I f( x )) l— ¥ \ x ) \ f( x )) = ( — l)-^ I x) I f(x)), and then applying the 

function evaluation a second time in order to "uncompute" the value of f(x) from 
the second register: (— l)^( x ) | x) \ f(x)) 1— > (— l)-f( x ) | x) | 0). 

This problem was generalized to the Deutsch- Jozsa problem [67] which asks the 
same constant versus "balanced" question, but for a function / : {0, l} n — > {0, 1}, 
with the promise that the function is either constant or balanced. The notion of 
a promise problem appears frequently in the study of quantum algorithms and 
complexity. One can either think of the condition as a promise, or alternatively, 
one can accept any answer as correct in the case that the promise is not satisfied. 

This problem was solved with 2 queries with a similar algorithm, and the 2 
queries can be reduced to one 1 if the oracle evaluating / has the form | x) \ b) 1— > 
I x) I b © f{x)). A classical deterministic algorithm requires 2 n_1 + 1 evaluations of 
the function in order to decide if / is constant or balanced with certainty. However, 
a classical randomized algorithm can decide if / is constant or balanced with error 
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probability e with only O(log-) queries. Other oracle separations were given in 
[31,32]. 

Bernstein and Vazirani [29] defined a special family of functions that are either 
constant or balanced, in particular, for any a G {0, l} n , b G {0, 1}, let / a ( x ) = 
a • x © b. They showed how to find a using only 2 evaluations of a black-box 
implementing | x) | 0) h- > | x) |/(x)). This can be reduced to 1 evaluation given 
the standard black-box Uf : | x) | b) \— > | x) |6©/(x)). This algorithm can be 
generalized quite naturally to finding the hidden matrix M in the affine map x i— > 
Mx + b, where x G ZJy, b G Z^ and M is an m x n matrix of values in Zjy (with 
element- wise addition modulo N), using only m queries [104, 142]. In some sense, 
the quantum algorithm takes a black-box for right-multiplying by M and turns it 
into a black-box for left-multiplying by M. This allows us to determine M with 
only m queries instead of n + 1 queries, which can be advantageous if m < n, 
although no practical application has been developed to date. 

Bernstein and Vazirani also give the first instance of a black-box problem (re- 
cursive Fourier sampling) where a quantum algorithm gives an exponential im- 
provement over bounded error randomized classical algorithms. Simon [167] gave 
another problem where there is an exponential gap. The problem is somewhat 
simpler to state, and is a special case of a broad family of important problems for 
which efficient quantum algorithms were subsequently found (using similar meth- 
ods). 

Simon's problem 

Input: A black-box Uf implementing | x) | 0) i— > | x) | /(x)) for a function 
/ : {0, 1}" -> {0, l} n with the property that /(x) = /(y) if and only if 
x © y G K = {0, s} for some s G {0, 1}™. 
Problem: Find s. 

Note that / is one-to-one if s = 0, the string of 0s, and / is two-to-one if s ^ 0. 

Simon's algorithm is very simple and elegant. We sketch it here, since many of 
the algorithms presented in the upcoming sections follow the same overall structure. 
We give a modified version that has a definite running time (versus letting it run 
indefinitely and analyzing the expected running time). 
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Simon's algorithm 



1. Start with the 2n qubit state | 00 ... 0) | 00 ... 0). Set i = 1. 

2. Apply a Hadamard gate to the first n qubits to obtain the state 

vfI x >I°>- 

3. Apply Uf to create the state ^= | x) | /(x)). 

4. Apply a Hadamard gate to the first n qubits. 

5. Measure the first n qubits to obtain a string y$ 6 {0, l} n . 

6. If i = n + 3, go to the next step. Otherwise, increment i and go to 
step 2. 

7. Let M be the (n + 3) x n matrix whose ith row is the vector y^. Solve 
the system Mx = (where we treat x and as column vectors). If 
there is a unique non-zero solution x = s, then output s. If the only 
solution is x = 0, then output 0. Otherwise, output "FAIL" . 



Note that in step 3, since we can partition the space into a disjoint union 
of cosets ZV./K of the subgroup K = {0, s}, where /(x) is constant on each coset, 
we can rewrite the state of the system as 

^fl x >l^» = 7Prr £ 4(l«> + |.®.»l/(«)>. 

Since the rest of the algorithm ignores the second register, we can assume that 
in the first register we have a random "coset state" (| z) + |z©s)) selected 
uniformly at random from all the coset states. 

After applying the Hadamard gates, the coset state gets mapped to a equally 
weighted superposition of states that are orthogonal to K, 

where K x = {y | y G Zj, y • s = 0}. Thus, with n + 0(1) random samples from 
K x , the samples vectors y« will generated K x with high probability. Then, using 
linear algebra, we can efficiently compute generators for K. In the generalizations 
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of Simon's algorithm that we see in the next few sections, we'll see a more general 
formulation of K 1 - for a hidden subgroup K. 

Shortly after Simon came up with his black-box algorithm, Shor [165] used 
similar ideas to derive his famous algorithms for factoring and finding discrete 
logarithms. 

Quantum algorithms for Simon's problem 

Simon's algorithm solves this problem with bounded error using n+0(l) ap- 
plications of Uf and 0(n) other elementary quantum operations and 0(n 3 ) 
elementary classical operations. 

Brassard and H0yer [36] combined Simon's algorithm with amplitude am- 
plification order to make the algorithm exact. 



Classical algorithms for Simon's problem 

Simon [167] showed a lower bound of fi(2?) queries, and this can be im- 
proved to fi(2"2"). 

This was a historical moment, since the field of quantum algorithms progressed 
from work on black-box algorithms and complexity, to an algorithm without black- 
boxes and of broad practical importance. It is important to note the fundamental 
role of the foundational complexity-theoretic work and black-box algorithms to the 
development of the practical algorithms. 

4 Factoring, Discrete Logarithms and the 
Abelian Hidden Subgroup Problem 

4.1 Factoring, Finding Orders and Periods, and Eigenvalue 
Estimation 

The most well known quantum algorithm is Shor's algorithm [165, 166] for the 
integer factorization problem. 

Integer factorization problem 

Input: An integer N. 

Problem: Output positive integers pi,P2, ■ ■ ■ ,Pi, ?"2, • • • , Ti where the pi 
are distinct primes and iV = p^p^ 2 •••£>['■ 
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This problem can be efficiently reduced (that is, in time polynomial in log TV), 
by a probabilistic classical algorithm, to 0(1) instances (note that I G O(logiV)) 
of the problem of finding the multiplicative order of an element modulo N, which 
can be solved efficiently on a quantum computer. 

Order finding problem 

Input: Positive integers a and N, such that GCD(a, N) 
relatively prime to N). 
Problem: Find the order of a modulo N. 

Essentially the same quantum algorithm can efficiently find the order of an 
element a in a finite group G given a black-box for performing the group arithmetic. 
Shor's algorithm in fact solves the more general problem of finding the period of a 
periodic function /. 

Period finding problem 

Input: A black-box implementing a periodic function / : Z i— > X for some 
finite set X, where f(x) = f(y) if and only if r \ x — y. 
Problem: Find the period r. 

Shor described his algorithm for the specific function f(x) = a x mod N, where 
iV was the integer to be factored, however the algorithm will find the period of any 
such periodic function (note the assumption that the values of /(l), /(2), . . . , f(r) 
are distinct; one can also analyze the case of where the values are not entirely 
distinct [33, 144]). 

Kitaev later showed that the problem of finding the order of a G G can alter- 
natively be reduced to the problem of estimating the eigenvalues of the operator 
that multiplies by a, and he described a efficient quantum algorithm for estimating 
such eigenvalues [125]. His method is to reduce the problem to phase estimation. 
Although Kitaev's algorithm was qualitatively different [115], it was shown that 
using an improved phase estimation algorithm yields an order-finding circuit that 
is essentially equivalent to Shor's factoring algorithm based on period-finding [55]. 

Both Shor's and Kitaev's approaches find r by finding good estimates of a 
random integer multiple of £ and then applying the continued fractions algorithm 
to find r. 



= 1 (i.e. a is 
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Sampling estimates 

to an almost uniformly random integer multiple of £ 

Input: Integers a, and N such that GCD(a, iV) = 1. Let r denote the 
(unknown) order of a. 

Problem: Output a number x G {0, 1, 2, . . . , 2 n — 1} such that for each 
k e {0, 1, . . . , r — 1} we have 



for some constant c > 0. 

Shor's analysis of the algorithm works by creating a "periodic state", which 
is done by preparing J2 X I x ) I qX m °d ^0 an d measuring the second register (in 
fact, just ignoring or tracing out the second register suffices, since one never uses 
the value of the measurement outcome). One then applies the quantum Fourier 
transform, or its inverse, to estimate the period. 

Kitaev's algorithm works by estimating a random eigenvalue of the operator 
U a that multiplies by a. 

Eigenvalue estimation problem 

Input: A quantum circuit implementing the controlled- U, for some unitary 
operator U, and an eigenstate oiU with eigenvalue e 2muJ . 
Problem: Obtain a good estimate for uo. 

He solves the eigenvalue estimation problem by solving a version of the well- 
studied phase estimation problem, and uses the crucial fact (as did Shor) that 
one can efficiently implement a circuit that computes U 2J = U 2 j using j group 
multiplications instead of 2 J multiplications. Thus one can efficiently reduce the 
eigenvalue estimation problem to the following phase estimation problem. 

Phase estimation problem 

Input: The states ^=(| 0) + e 2niujy 1 1)), for y = 1, 2, 4, ... , 2 n , for some 
ooe[0,2n). 

Problem: Obtain a good estimate of the phase parameter u. 

Kitaev's phase estimation algorithm used 0{n) copies of the states 0) + 
e 2mbjy 1 1)) for y = 1,8,64,..., and provides an estimate with error at most 
with high probability. Although there are slightly more efficient phase estimation 
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algorithms, one advantage of his algorithm is that it does not require a quantum 
Fourier transform, and instead performs some efficient classical post-processing of 
estimates of yu mod 1. This might be advantageous experimentally. The phase 
estimation problem has been studied for several decades [100, 102] recently with 
some focus on the algorithmic complexity of the optimal or near-optimal estimation 
procedures. 

Quantum algorithms for order finding 

Finding the order of a random element in Z* N 

- Quantum complexity is in 0((logiV) 2 loglog(iV) logloglog(iV)). 
Order finding in a black-box group 

- Quantum black-box complexity (for groups with unique encodings of 
group elements) is O(logr) black-box multiplications and 0(n+log 2 r) 
other elementary operations. 

Classical algorithms for order finding 

Finding the order of a random element in Z* N 

- Best known rigorous probabilistic classical algorithm has complexity 

in gCKVlogAHoglogAf^ 

- Best known heuristic probabilistic classical algorithm has complexity 

i n e O((log7V)3(loglogJV)§)_ 

Order finding in a black-box group 

- Classical black-box multiplication complexity is in Q(y/r). [54] 

By "heuristic" algorithm, we mean the proof of its running time makes some 
plausible but unproven assumptions. 

4.2 Discrete Logarithms 

Shor [165, 166] also solved the problem of finding discrete logarithms in the mul- 
tiplicative group of a finite field. 
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The discrete logarithm problem 

Input: Elements a and b = a* in Z*, where i is an integer from 
{0, 1, 2, . . . , r — 1} and r is the order of a. 

Problem: Find t. (The number t is called the discrete logarithm of b with 
respect to the base a.) 

Shor solved this problem by defining / : Z r x Z r i— > Z* as /(x, y) = a 3 ^. Note 
that f(xi,yi) = f(x2, 2/2) if and only if (x\ — X2, Hi — 2/2) is in the additive subgroup 
of Z r x Z r generated by (t, — 1). Since r is known, there is no need for the continued 
fractions algorithm. There is also an analogous eigenvalue estimation version of 
this algorithm. 

The algorithm can be defined in general for any group G where we have a 
black-box for computing the group operation. Given a, b G G, output the smallest 
positive t such that b = a*. For example, one can apply this algorithm to finding 
discrete logarithms in the additive group of an elliptic curve over a finite field 
[150, 120], a group widely used in public key cryptography [136]. In this case, 
the group operation is described as addition, and thus the problem is to find the 
smallest positive integer t such that b = ta, where b and a are points on some 
elliptic curve. 

Quantum complexities of the discrete logarithm problem 

• Finding discrete logarithms in F* 

- Quantum complexity is in 0((logg) 2 log log(g) logloglog(g)). 

• Discrete logarithms in a black-box group represented with strings of 
length n (including elliptic curve groups discussed above) 

- Quantum black-box complexity (for groups with unique encod- 
ings of group elements) is O(logr) black-box multiplications and 
0(n + log 2 r) other elementary operations. 
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Classical complexities of the discrete logarithm problem 

• Finding discrete logarithms in F* 

- Best known rigorous probabilistic classical algorithm has com- 
plexity in e <Vioggiog logq) f Qr cer ^ a j n values of q (including q = 2 n 
and prime q). 

- Best known heuristic probabilistic classical algorithm has com- 
plexity in e O(0°g;v)i(iogiogiV)§)_ 

• Discrete logarithms in a black-box group represented with strings of 
length n 

- Classical black-box complexity is in 6(v / r). For a large class 
of elliptic curves, the best known classical algorithms have com- 
plexity in 0(y/r) group additions. There are sub-exponential 
algorithms for special families of curves. 

4.3 Abelian Hidden Subgroup Problem 

Notice how we can rephrase most of the problems we have already discussed, along 
with some other ones, as a special case of the following problem. 

The Abelian hidden subgroup problem 

Let / : G — > X map an Abelian group G to some finite set X with the 
property that there exists some subgroup K < G such that for any x,y G G, 
f(x) = f(y) if and only if x + K = y + K. In other words / is constant on 
cosets of K and distinct on different cosets. 

Deutsch's Problem: 

G = Z 2 , X = {0, 1}, and K = {0} if / is balanced, and K = {0, 1} if / is 
constant. 

Generalized Simon's problem: 

G = Zj, X = {0, 1}™, and K is any subgroup of Z£. 

Finding orders: 

G = Z, X is any finite group H, r is the order of a e H . The subgroup 
K = rZ is the hidden subgroup of G, and a generator for K reveals r. 
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Finding the period of a function: 

G = Z, X is any set, r is the period of /. The subgroup K = rZ is the 
hidden subgroup of G, and a generator for K reveals the period r. 

Discrete logarithms in any group: G = Z r x Z r , X is any group iJ. 
Let a be an element of H with a r = 1 and suppose b = a k . Consider the 
function f(xi,x 2 ) = a Xl b x ' 2 . We have f(xi,x 2 ) = / (2/1, 2/2) if and only if 
(xi, x 2 ) — (yi, V2) G _ 0) ^ = 0, 1, . . . , r — 1}. The hidden subgroup K is 
the subgroup generated by (k, —1), where fc is the discrete logarithm. 

Hidden linear functions [33]: G = Z x Z. Let g be some permutation 
of Zat for some integer N. Let h be a function from Z x Z to Zat defined 
by /i(x, y) = x + ay mod N. Let f — g o h. The subgroup A" is the hidden 
subgroup generated by (—a, 1), and the generator reveals the hidden linear 
function h. 

Self-shift-equivalent polynomials [90]: Given a polynomial P in I vari- 
ables Xi,X 2 , . . . ,Xi over ¥ q (the finite field with q elements), the function 
/ which maps (ai, 02, ... , a/) G to P(Xi — ai,X 2 — a 2 , ■ ■ ■ , Xi — ai) is 
constant on cosets of a subgroup K of F^. This subgroup K is the set of 
self-shift-equivalences of the polynomial P. 

Abelian stabilizer problem [125]: Let G be any group acting on a finite 
set X . That is, each element of G acts as a map from X to X in such a 
way that for any two elements a, b G G, a(b(x)) = (ab)(x) for all x G X. 
For a particular element x G X, the set of elements which fix x (that is the 
elements a G G such that a(x) = x) form a subgroup. This subgroup is called 
the stabilizer of x in G, denoted Stc(x). Let f x denote the function from G 
to X which maps g G G to g(x). The hidden subgroup of f x is Stc(x). 

If we restrict attention to finite Abelian groups, or more generally, finitely gen- 
erated Abelian groups, then we can efficiently solve the hidden subgroup problem, 
by generalizations of the algorithms for factoring, finding discrete logarithms, and 
Simon's problem. 

The Abelian Hidden Subgroup problem can also be used to decompose a finite 
Abelian group into a direct sum of cyclic groups if there is a unique representative 
for each group element [142, 45]. For example, the multiplicative group of integers 
modulo N is an Abelian group, and we can efficiently perform computations in 
the group. However, having a decomposition of the group would imply an efficient 
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algorithm for factoring N. The class group of a number field is another Abelian 
group for which a decomposition is believed to be hard to find on a classical com- 
puter. For example, such a decomposition would easily give the size of the class 
group, which is also known to be as hard as factoring, assuming the Generalized 
Riemann Hypothesis. Computing the class group of a complex number field is 
a simple consequence of the algorithm for decomposing an Abelian group into a 
direct sum of cyclic groups, since there are techniques for computing unique repre- 
sentees in this case. A unique classical representation is sufficient, but a quantum 
state could also be used to represent a group element. For example, a uniform 
superposition over classical representives of the same group element would also 
work (this technique was applied by Watrous in the case of solvable groups [175]). 
Computing the class number of a real number field is not as straightforward, since 
there is no known way to efficiently compute a unique classical representative for 
each group element. However Hallgren [96] used the techniques outlined in section 
7.2 to show how to compute quantum states to represent the group elements, as- 
suming the Generalized Riemann Hypothesis, in the case of class group of a real 
number field of constant degree, and thus is able to compute the class group in 
these cases as well . 

Quantum algorithms for the Abelian Hidden Subgroup Problem 

There exists a bounded-error quantum algorithm for finding generators for 
the hidden subgroup K < G = Z Nl x Z N2 x • • • x Z Nl of / using 0(1) 
evaluations of / and 0(log 3 A) other elementary operations, where N = 
A 1 A 2 ...A ; = |G'|. 

It can be shown that D,(l) queries are needed for worst-case K. 



Classical algorithms for the Abelian Hidden Subgroup Problem 

In the black-box model Vl(^\G/K\) queries are necessary in order to even 
decide if the hidden subgroup is trivial. 

Generalizations of the Abelian Hidden Subgroup Problem are discussed in sec- 
tion 7. 

5 Algorithms based on Amplitude Amplification 

In 1996 Grover [91] developed a quantum algorithm for solving the search problem 
that gives a quadratic speed-up over the best possible classical algorithm. 
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Search problem 

Input: A black-box Uf for computing an unknown function / : {0, l} n — > 
{0,1}. 

Problem: Find a value x G {0, l} n satisfying /(x) = 1, if one exists. 
Otherwise, output "NO SOLUTION". 

The decision version of this problem is to output 1 if there is a solution, and 
if there is no solution. 

This problem is stated in a very general way, and can be applied to solving a 
wide range of problems, in particular any problem in NP. For example, suppose 
one wanted to find a solution to an instance <E> of the 3-SAT problem. The Boolean 
formula $ is in "3-conjunctive normal form" (3-CNF), which means that it is a 
conjunction (logical AND) of clauses, each of which is a disjunction (logical OR) 
of three Boolean variables (or their negations). For example, the following is a 
3-CNF formula in the variables b\, b 2 , ■ ■ ■ , b 5 : 

$ = (&! V b 2 V b 5 ) A (6i V 6 4 V 65) A (64 V b 2 V 6 3 ), 

where we let b denote the logical NOT of b. A "satisfying assignment" of a partic- 
ular 3-CNF formula $ is an assignment of or 1 values to each of the n variables 
such that the formula evaluates to 1. Given a satisfying assignment, it is easy 
to check if it satisfies the formula. Define /$ to be the function that, for any 
x = x x x 2 ■ ■ ■ x n G {0, l} n , maps x 1— > 1 if the assignment 6j = x iy % = 1, 2, . . . , n 
satisfies $ and x 1— > otherwise. Solving the search problem for /$ is equivalent 
to finding a satisfying assignment for $. 

If we only learn about / by applying the black-box Uf, then any algorithm 
that finds a solution with high probability for any / (even if we just restrict to 
functions / with at most one solution) requires Vt(\/W l ) applications of Uf [25]. 

The basic intuition as to why a quantum algorithm might provide some speed- 
up is that a quantum version of an algorithm that guesses the solution with prob- 
ability will in fact produce the correct answer with probability amplitude -7=. 
The hope is that additional guesses increase the amplitude of finding a correction 
solution by fi(^=), and thus 0(v / 2") guesses and applications of Uf might suffice 
in order to get the total probability amplitude close to I. Of course, one needs 
to find a unitary algorithm for implementing this, and obvious approaches do not 
permit the amplitudes to add constructively. Lov Grover discovered a quantum al- 
gorithm that does permit the amplitudes to add up in such a way. This algorithm 
was analyzed and generalized to the technique known as "amplitude amplifica- 
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tion" [35, 36, 37]. Further generalizations of these search algorithms are discussed 
in section 8. 

Quantum Algorithms for Searching: 

There exists a quantum algorithm that finds a solution with probability at 
least | if one exists, otherwise outputs "NO SOLUTION", and uses 0(y/2fi) 
applications of Uf. The algorithm uses 0(ny/2^) elementary gates. Note 
that Q(y/2fi) applications of Uf are necessary in order to find a solution for 
any /, even if we restrict attention to functions / with at most one solution. 

If, as an additional input, we are also given an algorithm A that will find a 
solution to f(x) — 1 with probability p, then Amplitude Amplification will 
find a solution with high probability using 0(-^=) applications of Uf and of 

unitary versions of A and A^ 1 . 

This more general statement implies that if there are m > 1 solutions, then 
there is an algorithm which makes an expected number of queries in 0{ \j2 n /m) 
(since guessing uniformly at random will succeed with probability This algo- 
rithm works even if the unitary black-box Uf computes / with a small bounded 
error [108]. 

Classical Algorithms for the Search Problem: 

Any classical algorithm must make Q(2 n ) queries in order to succeed with 
probability at least | on any input /, even if we restrict attention to func- 
tions with at most one solution. Exhaustive searching will find a solution 
using 0(2 n ) applications of Uf. 

If we are also given a black-box A that successfully guesses a solution to 
f(x) = 1 with probability p > ^r, then O(^) applications of Uf are needed 
and also sufficient (using random sampling). 

If instead of a black-box for Uf, we are given a circuit for / or some other 
description of / (such as a description of the 3-SAT formula <3> in the case of /$) 
then there might be more efficient algorithms that uses this additional information 
to do more than just use it to apply Uf. One can directly use amplitude amplifi- 
cation to get a quadratic speed-up for any such heuristic algorithm that guesses a 
solution with probability p, and then repeats until a solution is found. 

The quantum searching algorithm has often been called 'database' search algo- 
rithm, but this term can be misleading in practice. There is a quadratic speed-up 
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if there is an implicit database defined by an efficiently computable function /. 
However, if we are actually interested in searching a physical database, then a 
more careful analysis of the physical set-up and the resources required is neces- 
sary. For example, if a database is arranged in a linear array, then to query an 
TV-element database will take time proportional to N. If the data is arranged in a 
square grid, then a general lookup could be possibly be done in time proportional 
to \/~N. This limitation is true for both classical and quantum searching, however 
the hardware assumptions in the two cases are often different, so one needs to 
be careful when making a comparison, (e.g. [180], [158], and Chapter 6 of [148], 
discuss these issues.) 

Local searching [2] restricts attention to architectures or models where subsys- 
tems can only interact locally, and does not allow access to any memory location 
in one unit of time regardless of the memory size (which is not truly possible in 
any case, but can sometimes be appropriate in practice). The algorithms used 
include quantum walk algorithms (e.g. [182]) and can achieve quadratic or close 
to quadratic speed-ups depending on details such as the spatial dimension of the 
database. 

It is also important to note that there has been much work studying the quan- 
tum query complexity of searching an ordered list. It is known that ©(logiV) 
queries are necessary and sufficient, but the constant factor is not yet known 
[107, 51, 28]. 

5.1 Other applications of Amplitude Amplification 

Apart from the application to the searching problem, one of the first applica- 
tions of the quantum searching algorithm was to counting [39], and more generally 
amplitude amplification can be used to estimate amplitudes [37]. The quantum 
algorithm for amplitude estimation combines the techniques of the order find- 
ing algorithm with amplitude amplification. Bounds on optimal phase estimation 
translate to bounds on optimal amplitude estimation. It has several applications, 
including approximate and exact counting [39, 37], and approximating the mean 
(or, in the continuous case [149], the integral) of a function [172]. These applica- 
tions offer up to a quadratic speed-up over classical algorithms. 

We have already mentioned the straight-forward, and very useful, application 
of amplitude amplification to searching: providing a quadratic speed-up up for any 
algorithm that consists of repeating a subroutine that guesses a solution, until a 
solution is found. However, there are many applications of amplitude amplification 
that are not so straightforward, and require some additional non-trivial algorithmic 
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insights. Other applications of amplitude amplification include the collision finding 
problem, which has applications to breaking hash functions in cryptography. 

Collision Finding Problem: 

Input: A black-box Uf for computing a function / : {0,1}™ — > {0, l} m . 
The function / is r to 1, for some positive integer r. 

Problem: Find two distinct x, y G {0,1}™ with f(x) = f(y), if r > 1. 
Otherwise output "NO COLLISION". 



Quantum Algorithms for Collision Finding 

There exists a quantum algorithm [38] that uses 0((^-) 3 ) applications of 

Uf, and 0((— ) 3 polylog (— )) other elementary operations, and 0((^-) 3 ) 
space, and outputs a collision with probability at least | if r > 1, and 
outputs "NO COLLISION" otherwise. 

It can be shown that 3 ) applications oiUf are needed. 



Classical Algorithms for Collision Finding 

There exists a classical probabilistic algorithm that uses 0((^-) 2 ) appli- 
cations of Uf, and 0((^-) 2 polylog (^-)) other elementary operations, and 
O(n) space, and outputs a collision with probability at least | if r > 1, 

and outputs "NO COLLISION" otherwise. It can be shown that 
applications of Uf are needed. 

Other applications include finding claws [39], finding the maximum (or mini- 
mum) value of a function [106], string matching [153], estimating the median of a 
function [92, 147] and many others [86, 69]. There is also a non-trivial application 
to the element distinctness problem [41], which we define in section 8, since there is 
a better, optimal, quantum walk algorithm. Amplitude amplification also a basic 
tool in making algorithms exact [36, 145]. 

6 Simulation of quantum mechanical systems 

Feynman's reason for considering a quantum computer was to simulate other 
quantum mechanical systems [81]. This general idea was described in more 
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detail by Lloyd [130] and Zalka [180], and later by many other authors (e.g. 
[148]). More detailed situations have been studied by numerous authors including 
[170, 46, 44, 118]. 

There are other notions of what one what one might mean by simulating a 
physical system, such as computing properties of the ground state of the Hamilto- 
nian, or other properties of the spectrum of the Hamiltonian. In this section, we 
focus on the problem of simulating the evolution of a quantum mechanical system 
given the initial state (or a description of it) and a description of the Hamiltonian 
of the system. 

For convenience, we will restrict attention to a discrete Hilbert space. In prac- 
tice, when modelling systems with a continuous state space, the state space will 
need to be approximated with a discrete state space [180] with enough states so 
that the accumulated error is below the desired error threshold. This general 
problem of dealing with continuous problems is discussed in [149]. 

We will also restrict attention to time-independent Hamiltonians, since well- 
behaved time-dependent Hamiltonian evolution can be approximated by a sequence 
of time-dependent Hamiltonian evolutions. 

There are two natural ways that have been studied for representing the Hamil- 
tonian. The first way, is to represent H = Y2k=i Hk, where Hk is a simple enough 
Hamiltonian that we know how to efficiently simulate its evolution. For conve- 
nience, we assume the simulation of the H k term for a time t takes unit cost and is 
exact. In practice, if the simulation can be done with error e in time polynomial in 
-, t — \ \Hk\ \t, and n, then the effect on the overall cost is by a factor that is poly- 
nomial in these factors. In many situations, the simulation is polynomial in log(^) 
and logr, and independent of n and e. This leads to the following formulation. 

Hamiltonian Simulation Problem 1 

Input: 

An integer n and black-boxes A ± , A 2 , . . . , A M , where Aj takes a non-negative 
real number r and executes e lHjr , for a set of Hamiltonians Hj acting on n 
qubits. 

The value of | \H\\, the trace norm of H — Xlfli Hk- 

A positive real number t. 

A positive real number e < 1. 

An n-qubit state | ip). 

Output: 

A state | ipf) satisfying 1 1 | ipf) — e lHt < e. 
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In practice, the input will likely be a classical description of how to prepare the 
state | ip). It suffices to have an upper bound on (if the bound is within a 
constant factor, this won't affect the stated complexities). In particular, it suffices 
that we can efficiently compute or approximate the eigenvalue X k of a given an 
eigenvector | E k ) of H k . This is the case, for example, when the Hilbert space is 
a tensor product of n finite sized subsystems and H k acts non-trivially only on a 
finite number of subsystems, say c of them. In other words, up to a reordering of 
the subsystem labels, H k = I n ~ c <8> H k . Since 

e iH k t = jn-c 0e iH k t^ 

in order to simulate the evolution of H k for a time interval of size t, one only needs 
to simulate H k on the relevant c qubits for a time interval of size t. In this case, 
since we know H k , one can use "brute-force" methods to approximately implement 
the map | E\ k ) i— > e 2mXkt \ E Xk ), for any time interval t. 

An easy example is when the state space is n qubits, and H k is a tensor product 
of Pauli operators. This means that we can easily diagonalize H k as H k = (Pi®P2® 
. . .®P c )Z c (P\®Pl®. . .<S>Pc) for some one-qubit unitary operations P±, P 2 , . . . , P c . 
Thus we have 

e iH k t = (p 10 p 20 ...0 P c )e lZC \P\ ® P\ (g) . . . ® P\). 

Since 

e iZH I x ± x 2 ...x c ) = e ltf ^- Xc) I Xl x 2 . . . x c ) 

where f(x±, . . . , x c ) — X\ © . . . © x c , this simulation can be done easily. In fact, as 
pointed out in [f 48] , in the case that H k is such a product Hamiltonian, c does not 
need to be constant. 

Another example, [180], is where the eigenvectors of H k are of the form 

\E k )=Y j e^ n \ 3 ) 
3=0 

(i.e. "momentum" eigenstates), in which case the inverse quantum Fourier trans- 
form will map I E k ) 1— > | k), and then one can easily approximate | k) 1— > e tXkt \ k) 
for any efficiently computable function and then apply the quantum Fourier 
transform to map | k) 1— > | E k ) and thus effectively compute the transformation 

I £ fc )-e iA *' \E k ). 
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Thus we can study any situation where H = Hk and we have some means 
of efficiently simulating the time evolution of Hk- If the Hk commute, then 

e iHt _ e iH!t e iH 2 t e iH n t 

and the problem is straightforward. For the non-trivial case when the Hk do not 
commute pairwise, we can take advantage of approximations derived from Trotter 
formulas, like 

e iHt = ( e iH lt /n e iH 2 t/n jH n t/ n y + Q^jn) 

and other improved versions. A good estimate of the overall cost of this family of 
simulations is the number of terms of the form e lHjr are used, for any choice of r 
(we can assume < r < t, and that r is some efficiently computable number). 

Quantum complexity of Hamiltonian Simulation Problem 1 

There is a quantum algorithm that simulates e lHt on a given input | ip) with 
trace distance error at most e < 1 that uses a number of exponential terms 
N exp satisfying 

n \ o(iA/i) 
N exp e(Mr+l)M 1+0 ^r ^ (-) 

where r = and e = 1/2 S . Since the running time of simulating each 

exponential term is assumed to be polynomial in n, the overall running time 
is polynomial in n. 

In general, there are Hamiltonians for which fl(r) time is necessary. 

The product r = | \H\ \t is the relevant parameter since one can effectively speed 
up time by a factor of s by rescaling the Hamiltonian by a multiplicative factor of 
s, for any s > (e.g. one can perform an operation in half the time by doubling 
all the energies). 

It is hard to give an explicit comparison to the best known classical complexity 
of this general problem. There are classical algorithms and heuristics for special 
cases, but in the worst-case, the best solutions known require time exponential in 
n and polynomial in r (e.g. in r 1+ °^). 

Another natural formulation of the problem [10, 30] considers the case of sparse 
Hamiltonians, where for any basis state | x) there are at most d basis states | y) 
such that (x\H\y) ^ and one can efficiently compute this neighbourhood for 
any input x. This leads to the following black-box formulation of the problem. 
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Hamiltonian Simulation Problem 2 
Input: 

Integers n and d, and a black-box Uh that maps | x, i) | 0) i— > | x, i) \ yi, H XM ), 

where yi is the index of the ith non-zero entry in column x of the Hermitian 

matrix H (if there are d' < d non-zero entries, then Uf can output any 

index for i > d'). The values H x>y = (x\H\y) are the (x,y) entries of H 

represented in the computational basis. 

A positive real number t. 

A positive real number e < 1. 

An n-qubit state | ip). 

Output: 

A state | t/jf) satisfying 1 1 | ipf) — e lHt \ \ < e. 

The best known general solution was shown in [30]. 

Quantum complexity of Hamiltonian Simulation Problem 2 

There is a quantum algorithm that simulates e lHt on a given input | ip) with 
trace distance error at most e < 1 that uses a number of black-box calls, 
Nbb, satisfying, for any positive integer k, 



where r = ||i^||t and log* n is the smallest positive integer r such that 

log^ n < 2, where logjf'' refers to iterating the log 2 function r times. 

In general, there are Hamiltonians that require VL{t) black-box evaluations. 



Some applications involve trying to study properties of the ground state of 
a Hamiltonian by combining simulation of the dynamics with some approach for 
generating the ground state with non-trivial initial amplitude. For example, if one 
had a procedure A for generating a ground state | E ) of H with probability p, then 
one can combine the algorithm for simulating H with eigenvalue estimation, and 
then amplitude amplification on the eigenvalue estimates in order to generate the 





(log*n). 
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ground state with high fidelity. The algorithm would use 0(-^=) applications of A 

and A" 1 and 0(-^=) eigenvalue estimations. The eigenvalue estimations would have 

to be precise enough to distinguish | Eq) from the next highest energy eigenstate 
produced by A. If the gap between these two energies is A, then the eigenvalue 
estimation would involve simulating the evolution of H for a time in fi(^). 

Several papers address techniques for generating the ground states for various 
problems of interest including [3]. Another application for such simulations is to 
implement algorithms that are designed in the continuous-time model in a discrete- 
time quantum computation model. 

7 Generalizations of the Abelian Hidden Sub- 
group Problem 

7.1 Non- Abelian Hidden Subgroup Problem 

One of the most natural ways to generalize the Abelian Hidden Subgroup Problem 
is to non-Abelian groups. The problem definition is the same, apart from letting 
G be non-Abelian. One natural problem in this class of problems is the graph 
automorphism problem. 

Graph automorphism problem: Consider G = S n , the symmetric group 
on n elements, which corresponds to the permutations of {1,2, ... ,n}. Let G be 
a graph on n vertices labeled {1,2, . . . , n}. For any permutation a G S n , let /g 
map S n to the set of n-vertex graphs by mapping /g(c) = cr(G), where cr(G) is 
the graph obtained by permuting the vertex labels of G according to a. For the 
function /g, the hidden subgroup of G is the automorphism group of G. 

The graph isomorphism problem (deciding if two graphs Gi and G2 are isomor- 
phic) can be reduced to solving the graph automorphism problem. The best known 
classical algorithm takes time in e°^ n logn ) to decide if two graphs are isomorphic, 
and there is no substantially better quantum algorithm known. 

There has been much work attacking the non-Abelian hidden subgroup prob- 
lem. Ettinger, H0yer and Knill [73] showed the following. 

Query complexity of the non-Abelian Hidden Subgroup Problem 

For any finite group G, the non-Abelian hidden subgroup problem can be 
solved with high probability using 0(log queries to Uf. 
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Thus, the main question remaining is whether it is possible for the entire algo- 
rithm, including black-box queries and other elementary operations, to be efficient. 



7.1.1 Quantum Fourier transform approaches 

One natural approach is to mimic the algorithm for the Abelian HSP, which starts 
by computing 



For convenience, we suppose we measure the second register (it suffices just to 
trace out the 2nd register) and get some random outcome y, and thereby project 
the first register into the state 



where a is any element of G such that f(a) = y. In other words, as in the Abelian 
HSP algorithm, the first register is an equal superposition of all the elements in 
some coset of K. 

The question is: how do we extract information about K given a random coset 
state of Kl In the Abelian quantum Fourier transform of the coset state 

allowed us to sample elements that were orthogonal to K, which we illustrated in 
the case of Simon's algorithm. 

A more general way of looking at the quantum Fourier transform of an Abelian 
group G — ZjVj x ^a^2 

x • • • x Z Nl is in terms of representation theory. The Abelian 
group G can be represented by homomorphisms p that maps G to the complex 
numbers. There are in fact \G\ such homomorphisms, in a natural one-to-one 
correspondence with the elements of G. For each g = (ai, 02, ... , a/) G G, define 
p g to be the homomorphism that maps any h — (bi, &2, • • • , h) £ G according to 




and noticing that this equals 





a + x) 



p g {h) = e 
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Using these definitions, the quantum Fourier transform maps 

\9) ^ —7v^f^2Pg( h )\ h )- 
V l G l heG 

It is easy to verify that the quantum Fourier transform QFT^ 1 ® QFT^ 2 ® . . . <g) 
QFT^ l maps a coset state of a subgroup X to a superposition of labels /i where 

is in the kernel of p^, that is, Ph(k) = 1 for all k E K. Thus, after applying the 
quantum Fourier transform, one will only measure labels h = {pi, b 2 , . . . , bi) such 
that 

Pg (h) = e 2m ^^ = 1 

which generalizes the notion of orthogonality defined in the explanation of Simon's 
algorithm in a very natural way, since it means Yl\=\ ffi = ® m °d 1- This gives 
us a linear equation that must be satisfied by all h = (bi, b 2 , ■ ■ ■ , h) G K, and 
thus after I + 0(1) such random equations are collected, we can efficiently find 
generators for K by solving a linear system of equations. 

One can also define representations for finite non-Abelian groups G, except in 
order to fully capture the structure of G, we allow homomorphisms p to invertible 
matrices over C (in the Abelian case, we only need lxl matrices). For any finite 
group G one can define a finite set of such homomorphisms Pi, p 2 , ■ ■ ■ , Pk that 
map elements of G to unitary matrices of dimension d± x d±, d 2 x d 2 , ■ ■ ■ , x d^, 
respectively, with the property that £V df = \G\, and any other such representation 
is equivalent to a representation that can be factored into a collection of some 
number of these representations. More precisely, any representation p : G — > 
Mdxd(C) has the property that there exists some invertible P e M dxd (C), and a 
list of p^, Pj 2 , ■ ■ ■ such that ^ d% = d and for every g e G 

Pp{g)p- 1 = ®,p n {g) 

(that is, Pp(g)P~ x is block-diagonal, with the matrices PjXd) along the diagonals). 
Furthermore, the representations pj are irreducible in the sense that they cannot 
be decomposed into the sum of two or more smaller representations in this way. 
They are also unique up to conjugation. 

Since Yli^f = \G\, it is possible to define a unitary transformation from G to 
the vector space spanned by the labels of all the entries pi(j, k) of these irreducible 
representations pi. In particular, we can map 



0<j,k<di 
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where pi(j, k)(g) is the value of the (J, k) entry in the matrix Pi{g). Such a mapping 
is unitary and is called a quantum Fourier transform for the group G. There is 
freedom in the specific choice of pi within the set of unitary representations that 
are conjugate to pi, so there is more than one quantum Fourier transform. 

There has been much study of such quantum Fourier transforms for non-Abelian 
groups, which are sometimes possible to implement efficiently [21, 151, 156, 98, 
137], but efficient constructions are not known in general. It appears they are of 
limited use in solving the non-Abelian hidden subgroup, except in special cases 
[70, 156, 98, 88] such as when K is a normal subgroup of G. 

In the next sections we discuss several other lines of attack on the non-Abelian 
hidden subgroup that have yielded some partial progress on the problem. 

7.1.2 "Pretty Good Measurements" 

A natural approach to solving the non-Abelian hidden subgroup problem is to 
prepare several instances of a random coset state for the hidden subgroup K, and 
then try to determine what K is. More precisely, after preparing 

J>) | /(*))= £ \y + K)\f(y)) 

rreG y+K&G/K 

and discarding the second register we are left with the mixed state 

Pk= J2 \y + K)(y + K\. 

y+KeG/K 

Thus one could try to implement or approximate the optimal quantum mea- 
surement for identifying the mixed states px, over all possible hidden subgroups 
K < G. Furthermore, one could sample the state px a polynomial number of 
times t, and try to guess K given p K <g> p K <g> . . . <g> p K = p l K . 

Holevo [102] determined the optimal measurement for the following general 
state distinguishability problem. Given p e {pj}, output a label m such that the 
probability that p = p m is maximum. Let pj denote the probability that p = pj. 
Holevo proved that the maximum probability of guessing the correct input state 
p is achieved by a POVM with elements {Gj} satisfying the following conditions: 
Y^iViPiGi = Y^iViGiPi and Y^iViPiGi > VjPy However, it is not in general easy to 
efficiently find and implement such a POVM. 

Hausladen and Wootters [99] defined a 'pretty good' measurement for distin- 
guishing quantum states that is not necessarily optimal, but has a simpler form. 
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The measurement used POVM elements Gj = T~^pjT~^ and, if these don't sum 
to the identity, also / — ^ - Gj, where T = For the case of the dihedral 

hidden subgroup problem, it was shown [19] that the pretty good measurement 
is in fact optimal; however, in this case, it is still not known how to efficiently 
implement the pretty good measurement. However, it was later shown how to 
implement the pretty good measurement for the Heisengroup group HSP [19]. 

For example, in the case of the dihedral hidden subgroup problem for D 2 n, 
after a quantum Fourier transform on each of n coset states, one can view the 
resulting state of n registers as 

(| 0) + e 2 ™^ I 1)) I h) ®(|0) + e 2mh ^ 1 1)) I k 2 ) <g> . . . ® (| 0) + e 2mh ^ 1 1)) | k n ) 

for hi selected independently and uniformly at random from {0, 1, . . . , JV — 1}. 

The (|0) + e 27ri ^ | 1)) <g> (| 0) + e 2 ™^ | 1)) <g> . . . <g> (| 0) + e 2 ™^ | 1)) part of the 
state can be rewritten as 

I S r ) 

r 

where r spans all the possible sums of the form Yli^iki, h G {0,1} (the 'subset 
sums'), \S r ) is the uniform superposition of the strings | bib 2 ■ ■ ■ b n ) that satisfy 
Ylib k- = r ' anc ^ ar * s ^ e appropriate normalization factor (i.e. ^Jn T /2 n where n r 
is the number of solutions to ^2 b . k . = r). 

The optimal measurement [19] (in the restricted case of order 2 subgroups) 
can be thought of as mapping | S r ) 1— > | r), performing an inverse quantum Fourier 
transform and then measuring a value d which will be the guess of the value 
d (interestingly, a similar measurement is optimal [58] in the case of trying to 
optimally estimate an arbitrary phase parameter e [0, 2n) given the state (| 0) + 
e ikl<t> I 1)) x (| 0)+e^ fc2 1 1)) x ... x (| 0) + e i(t>kn 1 1))). Note that implementing such a 
basis change in reverse would solve the subset sum problem (which is NP-hard) . In 
fact, it suffices to solve the subset sum problem on average [154]. A nice discussion 
of this connection can be found in [19]. 

For groups that are semidirect products of an Abelian group and a cyclic group, 
the pretty good measurement corresponds to solving what is referred to [19] as a 
'matrix sum problem', which naturally generalizes the subset sum problem. They 
also show that the pretty good measurements are optimal in these cases, and 
similarly relate their implementation to solving the matrix sum problem to certain 
average-case algebraic problems. They show that the pretty good measurement 
can be implemented for several groups including semidirect product groups of the 
form Zp x Z p for constant r (when r = 2, this is the Heisenberg group), and of 
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the form Z N x Z p with p prime (which are metacyclic) and where the ratio N/p is 
polynomial in log TV. 

7.1.3 "Sieving" 

Kuperberg [129] introduced a method for attacking the hidden subgroup problem 
for the dihedral group that leads to a sub-exponential algorithm. 

The dihedral group is a non-Abelian group of order 2N, which corre- 
sponds to the set of symmetries of a regular iV-gon. It can be defined as the 
set of elements {(x,d) | x G {0, 1, 2, . . . , N — 1}, d G {0, 1}}, where {(x,0) \ x G 
{0, 1, 2, . . . , TV — 1}} is the Abelian subgroup of corresponding to the rotations 
(satisfying (x, 0) + (y, 0) = (x + y mod N, 0)), and {(0, 0), (y, 1)} are Abelian sub- 
groups of order 2 corresponding to reflections. In general, (x, 0) + (y, 1) = (y—x, 1), 
(y, 1) + (x, 0) = (x — y, 1) = —((x, 0) + (y, 1)). If the hidden subgroup is a sub- 
group of the Abelian subgroup of order N, then finding the hidden subgroup easily 
reduces to the Abelian hidden subgroup problem. However, there is no known effi- 
cient algorithm for finding hidden subgroups of the form {(0, 0), (y, 1)}. So we can 
focus attention to the following restricted version of the dihedral hidden subgroup. 

Dihedral Hidden Subgroup Problem (hard case) 

Input: An integer N, and a black-box implementing Uf : | x, d) | 0) h- > 
| x, d) | f(x, d)), where f(x±, d\) = f(x2, d\) if and only if (x±, d\) — (x2, d 2 ) G 
{(0,0), (y, 1)} for some y. 
Problem: Find y. 

As mentioned earlier, the dihedral hidden subgroup problem can be efficiently 
reduced to the following phase estimation problem [72] . 

Ettinger-H0yer phase estimation problem for the dihedral HSP 

Input: An integer N, and a black-box Od that outputs a classical value k G 
{0, 1, ... , N— 1} uniformly at random, along with the qubit ^(| 0)+e^ fe | 1)) 

where <p = for some integer d G {0, 1, 2 . . . , N - 1}. 

Problem: Find d. 

Note that if we could sample the values k = 2 j for j = 1,2,..., [log N] , then 
the phase estimation problem can be solved directly using the quantum Fourier 
transform [55]. 

Regev designed a clever method for generating states of the form "^(|0) + 
e i2i(t> | using 0(1) calls to the black-box Od, given an oracle that solves the 
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subset sum problem on average. Kuperberg [129] developed a "sieving" method of 
generating states of the form ^(| 0) + e 1 " 23 ^ | 1)) and the method was refined and 
improved to use less memory by Regev [154]. 

Quantum algorithms for the dihedral HSP 

There exists a quantum algorithm that solves the dihedral HSP with running 
time in e° ( - v/logAr - ) and uses space in e oly ^ log N \ There is also an algorithm 
with running time in e ^ logN log l °s N ) an d uses space in O(logiV). 



Classical algorithms for the dihedral HSP 

The classical complexity of the dihedral hidden subgroup problem is Q(\/~N) 
evaluations of the function /. 

Similar sieving methods were applied [11] to yield a subexponential time algo- 
rithm for the HSP over the product groups G n for a fixed non-Abelian group G. 
It has also been show that these kinds of quantum sieve algorithms will not give 
efficient quantum algorithms for graph isomorphism [139]. 

7.1.4 Other methods and results 

There are also some algorithms for solving other cases of the non-Abelian hidden 
subgroup problem that don't use any of the above techniques, e.g. [110, 84, 111]. 
These results use sophisticated classical and quantum group theoretic techniques 
to reduce an instance of a non-Abelian HSP to instances of HSP in Abelian groups. 

One of the most recent results [112] shows that such a reduction is possible for 
nil-2 groups, which are nilpotent groups of class 2. The group G is nilpotent of 
class n if the following holds. Let A\ = G, and let A i+ i = [Ai,G], for i > 0. A 
group G is nilpotent if A n+1 = {1}, for some integer n, and the class of a nilpotent 
group is the smallest positive integer n for which A n+ i = {1}. 

One of their techniques is to generalize Abelian HSP to a slightly more general 
problem, where the hidden subgroup K is hidden by a quantum procedure with 
the following properties. For every g 1 , g 2 , . . . , <?jv £ G the algorithm maps 

|^i>U 2 >...|^>|o)|o)...|o)^| 5l )| ff2 )...|^)|^>|^ 2 2 >---|C> 

where the set of states { | iffy \ g E G} is a hiding set for K, for each i — 1, 2, . . . , N. 
A set of normalized states {| ip g ) \ g G G} is a hiding set for the subgroup K of G 
if 
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• If g and h are in the same left coset of K then | ip g ) = \ iph). 

• If g and h are in different left cosets of K then (ijj g \ ijjj) = 0. 
Generators for the subgroup K of G can be found in time polynomial in log \ G\ 

using a quantum hiding procedure with N G 0(log \ G\). They find a series of non- 
trivial reductions of the standard HSP in nil-2 groups to instances of the Abelian 
HSP with a quantum hiding function. 

7.2 Lattice and Number Field Problems 

The Abelian Hidden Subgroup Problem also works for finitely generated groups G. 
We can thus define the hidden subgroup problem onG = ZxZx...xZ = Z n . The 
hidden subgroup K will be generated by some n-tuples in Z™. We can equivalently 
think of G as a lattice and K as a sublattice. The function / : G — > X, for some 
finite set X, that satisfies /(x) = /(y) if and only if x — y G K, can be thought of 
as hiding the sublattice K. 

By generalizing the problem to hiding sublattices of M. n , one can solve some 
interesting and important number theoretic problems. The solutions in these cases 
were not a simple extension of the Abelian hidden subgroup algorithm. 

Hallgren [94, 96] found a quantum algorithm for finding the integer solutions 
x,y to Pell's equation x 2 — dy 2 = 1, for any fixed integer d. He also found an 
efficient quantum algorithm for the Principal Ideal Problem, and later generalized 
it to computing the unit group of a number field of constant degree [95]. Solving 
Pell's equation is known to be at least as hard as factoring integers. We don't have 
room to introduce all the necessary definitions, but we'll sketch some of the main 
ideas. 

A number field F can be defined as a subfield Q{6) of the complex numbers 
that is generated by the rationals Q together with a root 9 of an irreducible poly- 
nomial with rational coefficients; the degree of F is the degree of the irreducible 
polynomial. The "integers" of F are the elements of F that are roots of monic poly- 
nomials (i.e. polynomials with leading coefficient equal to 1, such as x 2 + 5x + 1). 
The integers of F form a ring, denoted O. One can define a parameter A called 
the discriminant of F (we won't define it here), and an algorithm is considered 
efficient if its running time is polynomial in log A and n. The unit group of the 
ring F, denoted O*, is the set of elements a in O that have an inverse a_i G O. 
"Computing" the unit group corresponds to finding a description of a system of 
"fundamental" units, e±, €2, ■ ■ ■ , e r that generate O* in the sense that every unit 
e G O* can be written as e = /xe^e^ 2 . . . e^ r for some ki,k 2 , ■ ■ ■ ,k r G Z and some 
root of unity /i. However, in general, an exact description of a fundamental unit 



34 



requires an exponential number of bits. There are are some finite precision rep- 
resentations of the elements of the unit group, such as the "Log" embedding into 
W . This representation describes a unit a by an element of W where some finite 
precision representation of each coordinate suffices. This Log representation of 
the unit group O*, corresponds to a sublattice L = O* of W. Hence, we have a 
relationship between several important computational number field problems, and 
lattice problems. 

By the above correspondence between O* and the lattice L C K r , we can for- 
mulate [95, 162] the problem of computing the unit group as the problem of finding 
elements that approximate generators of the sublattice L of !R r . One important 
non-trivial step is defining a function / : !R r — > X (for some infinite set X) such 
that f(x) = f(y) if and only if x — y G L as well as appropriate discrete approx- 
imations to this function. The definition of these functions involves substantial 
knowledge of algebraic number theory, so we will not describe them here. 

By designing quantum algorithms for approximating generators of the lattice 
L, [95, 162] one can find polynomial time algorithms for computing the unit group 
O* of an algebraic number field F = Q(6). 

A corollary of this result, is a somewhat simpler solution to the Principal Ideal 
problem (in a constant degree number field) that had been found earlier by Hallgren 
[94]. An ideal X of the ring O is a subset of elements of O that is closed under 
addition, and is also closed under multiplication by elements of O. An ideal X is 
principal if it can be generated by one element a G X; in other words X = ctO = 
{af3 | (3 G O}. The principal ideal problem is, given generators for X, to decide if 
X is principal, and if it is, to find a generator a. 

As mentioned in section 4.3, the tools developed can also be applied to find 
unique (quantum) representatives of elements of the class group for constant degree 
number fields [96] (assuming the Generalized Riemann Hypothesis), and thus allow 
for the computation of the class group in these cases. 

7.3 Hidden Non-Linear Structures 

Another way to think of the Abelian Hidden Subgroup Problem is as an algorithm 
for finding a hidden linear structure within a vector space. For simplicity, let's 
consider the Abelian HSP over the additive group G = ¥ q x ¥ q x . . . x ¥ q = F™, 
where q = p m is a prime power. The elements of G can also be regarded as a vector 
space over ¥ q . A hidden subgroup H < G corresponds to a subspace of this vector 
space and its cosets correspond to parallel afline subspaces or flats. The function 
/ is constant on these linear structures within the vector space F" 
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A natural way to generalize this [52] is to consider functions that are constant on 
sets that are defined by non-linear equations. One problem they study is the hidden 
radius problem. The circle of radius r£F, centred at t — (t±, t2, ■ ■ ■ , t n ) G F™ is the 
set of points x = (xi, X2, ■ ■ ■ , x n ) G F™ that satisfy J2i( x i ~ = r - The point x on 
a circle centered at t will be represented as either (x, <r(s)), where s = x—t and cr(s) 
is a random permutation of s, or as (x, r(t)) where r(t) is a random permutation 
of t. We define f\ and /_! be the functions satisfying fi(x, c(s)) = r(t) and 
f_ 1 (x,T(t))=a(s). 

Hidden Radius Problem 

Input: A black box Uf l that implements | x) \ o~(s)) \ 0) h- > 
I x ) I °) I fi{ x i a { s )))i an d a black box Uf_ 1 that implements 
|x>|r(0)|0>^|x>|r(t)>|/-i(x,r(t))>. 
Problem: Find r. 



Quantum Algorithms for the Hidden Radius Problem 

For odd d, there is a bounded error quantum algorithm that makes 
polylog(g) queries to and Uf_ 1 and finds r. However, there is no known 
polynomial bound on the non-query operations. 

There is a bounded-error quantum algorithm that also makes polylog(g) 
operations in total, and determines x( r )> where x( r ) = 1 if r is a quadratic 
residue (that is, r = u 2 for some u G ¥ q ) and otherwise. 



Classical Algorithms for the Hidden Radius Problem 

It was shown in [52] that the expected number of queries needed to be able 
to guess any bit of information about r correctly with probability greater 
than | + poly (] logg ) is exponential in d log q. 

A number of other black-box problems of this kind were defined in [52] with 
quantum algorithms that are exponentially more efficient than any classical algo- 
rithm, in some cases just in terms of query complexity, and other times in terms of 
all operations. These problems fit into the frameworks of shifted subset problems 
and hidden polynomial problems. They use a variety of non-trivial techniques for 
these various problems, including the quantum Fourier transform, quantum walks 
on graphs, and make some non-trivial connections to various Kloosterman sums. 
Further work along these lines has been done in [65]. 
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7.4 Hidden shifts and translations 

There have been a variety of generalizations of the hidden subgroup problem to 
the problem of finding some sort of hidden shift or translation. 

Grigoriev [90] addressed the problem of the shift-equivalence of two polynomials 
(the self-shift-equivalence problem is a special case of the Abelian Hidden Subgroup 
Problem). Given two polynomials P±, P 2 in I variables Xi,X 2 , ■ ■ ■ , X t over F g (the 
finite field with q elements), does there exist an element (ai, a 2 , ■ ■ ■ , a\) G such 
that Pi(Xi - ai, X 2 - a 2 , ■ ■ ■ ,Xi - a t ) = P 2 {Xi, X 2 , . . . , Xi). More generally, if 
there is a group G (F l q in this case) acting on a set X (the set of polynomials in 
/ variables over ¥ q in this case), one can ask if two elements x,y G X are in the 
same orbit of the action of G on X (that is, if there is a g G G such that g(x) = y). 
In general, this seems like a hard problem, even for a quantum computer. 

The dihedral hidden subgroup problem [72] is a special case of the hidden 
translation problem [84], where there is a finite group G, with unique representation 
of the elements of G, and two injective functions / and f\ from G to some finite 
set X. 

Hidden Translation Problem: 
Input: 

Two black boxes Uf and Uf l that, for any x G G, implement the maps 
U fo : | x) | 0) i-> | x) \ fo{x)) and U fl : \ x) \ 0) i-> | x) \fi(x)). 
A promise that fi(x) = f (ux), for some u G G. 
Problem: Find u. 

The same problem expressed with additive group notation has been called the 
hidden shift problem, and instances of this problem were solved efficiently by van 
Dam, Hallgren and Ip [60]. For example, they find an efficient solution in the 
case that fi(x) = x( x + s ) where / = x is a multiplicative character function 
over a finite field, which implies a method for breaking a class of "algebraically 
homomorphic" cryptosystems. They also describe a more general hidden coset 
problem. 

In [84] it is shown how to solve the hidden translation problem in G = in 
polynomial time, and then show how to use this to solve the problem for any group 
that they call "smoothly solvable" . Let us briefly define what this means. 

For any two elements g, h of a group, we define their commutator, denoted 
[g, h] to be [g, h] = g~ 1 h~ 1 gh, and for any two subgroups H,K < G we define 
[H, K] to be the (normal) subgroup of G generated by all the commutators [h, k] 
where h G H,k G K. The derived subgroup of a group G is G^ = [G,G]. In 
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general, we define G (0) = G, G^ n+1 ^ = [G^ n \ G^], for n > 1. A group G is solvable 
if G^ = {1}, the trivial group, for some positive integer n, and the series of 
subgroups is called the derived series of G. A group G is called smoothly solvable 
if m is bounded above by a constant, and if the factor groups G^ +r> /G^ are 
isomorphic to a direct product of a group of bounded exponent (the exponent of 
a group is the smallest positive integer r such that g r = 1 for all g in the group) 
and a group of size polynomial in log \ G\. 

The algorithm for smoothly solvable groups works by solving a more general 
orbit coset problem, for which they prove a "self-reducibility" property. In particu- 
lar, orbit coset problem for a finite group G is reducible to the orbit coset problem 
in G/N and N, for any solvable normal subgroup iV of G. 

Quantum Algorithms for the Hidden Translation Problem: 

For groups G — Z™, the hidden translation problem can be solved with 
bounded probability using 0(p(n + p) p ~ l ) queries and (n + p)°^ other 
elementary operations. 

In general, for smoothly solvable groups G, the hidden translation problem 
can also be solved with a polynomial number of queries and other elementary 
operations. Another consequence of the tools they developed is a polynomial 
time solution to the hidden subgroup for such smoothly solvable groups. 

Classical Algorithms for the Hidden Translation Problem: 

In general, including the case G — Z™, the hidden translation problem 
requires f2(^/|G|) queries on a classical computer. 

Another natural generalization of the hidden translation or hidden shift prob- 
lem and the Abelian Hidden Subgroup Problem is the generalized hidden shift 
problem introduced in [49]. There is a function / : {0, 1, 2, . . . , M — 1} x Z^ — > X 
for some finite set X, with the property that for a fixed b G {0, 1, . . . , M — 1}, the 
mapping x h- > f(b,x) is one-to-one, and there is some hidden value s G Z^r such 
that f(b, x) = f(b + 1, x + s) for all b G {0, 1, . . . , M - 2}. Note that for M = 2, 
this is equivalent to the dihedral hidden subgroup problem for the group D N , and 
for M = N, this problem is equivalent to the Abelian Hidden Subgroup Problem 
for the hidden subgroup ((1, s)) of the group Z^r x 1>n- 
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Generalized Hidden Shift Problem: 
Input: Positive integers M and N. 

A black boxes Uf that maps \b,x)\0) i— > \b,x) \ f(b,x)) for all b G 
{0,1,..., M — 1} and x G Zjv, where / satisfies the properties defined 
above. 

Problem: Find s. 



Quantum Algorithms for the Generalized Hidden Shift Problem: 

There is a quantum algorithm that, for any fixed e > 0, and M > N e , solves 
the generalized hidden shift problem in time polynomial in log N. 

The algorithm uses a "pretty good measurement" that involves solving in- 
stances of the following matrix sum problem. Given x G and w G chosen 
uniformly at random, find b G {0, 1, . . . , M — l} k such that biXi = w mod N. 
Note how this generalizes the subset sum problem, which was shown to be related 
to the dihedral hidden subgroup problem [154]. While there is no efficient solution 
known for small M (even an average case solution suffices for the dihedral HSP), for 
M > N e , Lenstra's integer programming algorithm allows for an efficient solution 
to the matrix sum problem. 

Classical Algorithms for the Generalized Hidden Shift Problem: 

Any classical algorithm requires Q(y/~N) evaluations of the function /. 



7.5 Other related algorithms 

There are a variety of other problems that aren't (as far as we know) generalizations 
of the hidden subgroup problem, and arguably deserve a separate section. We'll 
mention them here since various parts of the algorithms for these problems use 
techniques related to those discussed in one of the other subsections of this section. 

Van Dam and Seroussi [62] give an efficient quantum algorithm for estimating 
Gauss sums. Consider a finite field W p r (where p is prime, and r is a positive 
integer). The multiplicative characters are homomorphisms of the multiplicative 
group, F* r , to the complex numbers C, and also map i — > 0. Each multiplicative 
character can be specified by an integer a G {0, 1, ... ,p r — 2} by defining Xa(g^) = 
where g is a generator for F* r and £ = e 27r *^ pr_1 - ) . 

The additive characters are homomorphisms of the additive group of the field 
to C, and can be specified by a value f3 G ¥ pr according to ep(x) = ^ Tr (/ 3a; ) ; where 
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Tr(y) = Y.]=,y p3 and C = e 2m/p . 

The Gauss sum G(W p r, Xai e p) is denned as 

G(W p r, x ,ep) = X(x)ep(x). 

X<=F p r 

It is known that the norm of the Gauss sum is \G(¥ p r, x, ep)\ = \[W ■, an d thus 
the hard part is determining, or approximating, the parameter 7 in the equation 

Gauss Sum Problem for Finite Fields: 

Input: A prime number p, positive integer r and a standard specification 

of F p r (including a generator g) . 

A positive integer a G {0, 1, . . . , p r — 2}. 

An element (3 € ¥ p r. 

A parameter e, < e < 1. 

Problem: Output an approximation, with error at most e, to 7 in the 
equation G(F p r, x a , £p) = e n y/jf. 

One noteworthy feature of this problem is that it is not a black-box problem. 

Quantum Algorithms for the Finite Field Gauss Sum Problem: 

There is a quantum algorithm running in time 0(^polylog(p r )) that outputs 
a value 7 such that (7 — 7) < e with probability at least |. 



Classical Complexity of the Finite Field Gauss Sum Problem: 

It was shown that solving this problem is at least as hard as the discrete 
logarithm problem in the multiplicative group of ¥ p r (see Section 4.2). 

Various generalizations of this problem were also studied in [63]. Other exam- 
ples include [64] which studies the problem of finding solutions to equations of the 
form af x + bg y = c, where a, b, c, /, g are elements of a finite field, and x, y are 
integers. 

8 Quantum walk algorithms 

Quantum walks, sometimes called quantum random walks, are quantum analogues 
of (classical) random walks, which have proved to be a very powerful algorithmic 
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tool in classical computer science. The quantum walk paradigm is still being 
developed. For example, the relationship between the continuous time and discrete 
time models of quantum walks is still not fully understood. In any case, the best 
known algorithms for several problems are some type of quantum walk. 

Here we restrict attention to walks on discrete state spaces. Because of the 
Strong Church- Turing thesis, we expect that any practical application of a walk on 
a continuous state space will have an efficient (up to polynomial factors) simulation 
on a discrete system. 

In general, any walk algorithm (classical or quantum), consists of a discrete 
state space, which is usually finite in size, but sometimes infinite state spaces are 
also considered when it is convenient to do so. The state space is usually modeled 
as being the vertices of a graph G, and the edges of the graph denote the allowed 
transitions. In classical discrete time walks, the system starts in some initial state, 
Vi. Then at every time step the system moves to a random neighbour w of the 
current vertex v, according to some probability distribution p(v, w). Let M denote 
the matrix where the (v, w) entry is p(v, w). Let v be the column vector with the 
value Pi in the ith position, where Pi is the probability that the initial vertex is v 
Then the vector v t = M*v describes the probability distribution of the system 
after t time steps after starting in a state described by the probability distribution 
v - 

The walks are usually analyzed as abstract walks on a graph. In practice, 
the vertices are representing more sophisticated objects. For example, suppose 
one wishes to solve a 3-SAT formula $ on n Boolean variables. One could define 
a random walk on the 2 n possible assignments of the Boolean variables. So the 
vertices of the graph would represent the 2™ Boolean strings of length n. One could 
start the walk on a random vertex (which corresponds to a random assignment 
of the n-Boolean variables). At every step of the walk, if the current vertex v 
corresponds to a satisfying assignment, then p(v,v) = 1 and the walk should not 
leave the vertex. Otherwise, a random clause should be picked, and one of the 
variables in that clause should be picked uniformly at random and flipped. This 
implicitly defines a probability distribution p(v,w). 

In a quantum walk, instead of just having classical probability distributions 
of the vertices i>j G V(G), one can have superpositions ^2 v . e y(G) a i\ v i) > anc ^ 
more generally any quantum mixed state of the vertices. If we restrict to unitary 
transitions, then there is a unitary matrix U that contains the transition amplitudes 
a(v, w) of going from vertex v to vertex w, and if the systems starts in initial state 
\ipo), then after k time steps the state of the system is U k \ipo). These unitary 
walks are not really "random" since the evolution is deterministic. More generally, 
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the transition function could be a completely positive map S, and if the system 
starts in the initials state p = \ip ) {ipo\, then after t time steps the state of the 
system will be £*(p). 

One cannot in general define a unitary walk on any graph [164], however if one 
explicitly adds a "coin" system of dimension as a large as the maximum degree d 
of the vertices (i.e. the new state space consists of the states | Vi) | c), v,- L e V(G) 
and c G {0, 1, . . . , d — 1}) then one can define a unitary walk on the new graph 
one would derive from the combined graph-coin system. In particular, the state of 
the coin system indicates to which neighbour of a given vertex the system should 
evolve. More generally, one can define a unitary walk on states of the form (vi, Vj), 
where {vi,Vj} is an edge of G. 

A continuous version of quantum walks was introduced by Farhi and Gutmann 
[79]. The idea is to let the adjacency matrix of the graph be the Hamiltonian 
driving the evolution of the system. Since the adjacency matrix is Hermitian, the 
resulting evolution will be unitary. The reason such a unitary is possible even for 
a graph where there is no unitary discrete time evolution is that in this continuous 
time Hamiltonian model, for any non-zero time evolution, there is some amplitude 
with which the walk has taken more than one step. 

In classical random walks, one is often concerned with the "mixing time" , which 
is the time it takes for the system to reach its equilibrium distribution. In a purely 
unitary (and thus reversible) walk, the system never reaches equilibrium, but there 
are alternative ways of arriving at an effective mixing time (e.g. averaging over 
time). In general, quantum walks offer at most a quadratically faster mixing. 
Another property of random walks is the "hitting time", which is the time it takes 
to reach some vertex of interest. There are examples where quantum walks offer 
exponentially faster hitting times. 

The study of what are essentially quantum walks has been around for decades, 
and the algorithmic applications have been developed for roughly 10 years. Much 
of the early algorithmic work developed the paradigm and discovered the proper- 
ties of quantum walks on abstract graphs, such as the line or circle, and also on 
general graphs (e.g. [4, 16]). There have also been applications to more concrete 
computational problems, and we will outline some of them here. 

Element Distinctness Problem 

Input: A black-box U / that maps | i) \ b) i— > | i) \ b © f(i)) for some function 
/:{0,l,...,iV-l}^{0,l,...,M}. 

Problem: Decide whether there exist inputs i and j, i ^ j, such that 

m = m- 
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Prior to the quantum walk algorithm of Ambainis, the best known quantum 

3 

algorithm used O(Ni) queries. 



Quantum Algorithms for Element Distinctness Problem 



2 

The quantum walk algorithm in [13] uses O(Ns) evaluations of Uf, 

2 2 

0(A3polylogA) non-query operations and 0(A3polylogA) space. 



Classical Algorithms for Element Distinctness 



A classical computer requires N — 0(1) applications of Uf in order to guess 
correctly with bounded error for worst-case instances of /. 



As is often the case with classical random walk algorithms, the graph is only 
defined implicitly, and is usually exponentially large in the size of the problem 
instance. For the element distinctness algorithm, the graph is defined as follows. 
The vertices are subsets of {1,2,..., N} of size [AT 3] . Two vertices are joined if 
the subsets differ in exactly two elements. A detailed description and analysis of 
this walk is beyond the scope of this survey. 

Szegedy [171] extended the approach of Ambainis to develop a powerful general 
framework for quantizing classical random walks in order to solve search problems. 
Suppose we wish to search a solution space of size N and there are eN solutions to 
f(x) = 1. Furthermore, suppose there is a classical random walk with transition 
matrix M, with the property that p(v, w) = p(w, v) (known as a 'symmetric' walk). 
It can be shown that the matrix M has maximum eigenvalue 1, and suppose the 
next highest eigenvalue is 1 — 5, for 5 > 0. The classical theory of random walks 
implies the existence of a bounded-error classical random walk search algorithm 
with query complexity in O(j^). Szegedy developed a "\/5e-rule" that gives a 
quantum version of the classical walk with query complexity in 0(-^=). This 
technique was generalized further in [133] and summarized nicely in [160]. 

Quantum walk searching has been applied to other problems such as triangle- 
finding [134], commutativity testing [132], matrix product verification [43], asso- 
ciativity testing when the range is restricted [68], and element k-distinctness [13]. 
A survey of results in quantum walks can be found in [15, 14, 122, 160]. 

8.1 Continuous time quantum walk algorithms 

In this section we describe two very well-known continuous time quantum walk 
algorithms. The first algorithm [47] illustrates how a quantum walk algorithm can 
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give an exponential speed-up in the black-box model. 

A problem instance of size n corresponds to an oracle Oc n that encodes a graph 
G n on 0(2 n ) vertices in the following way. The graph G n is the graph formed by 
taking 2 binary trees of depth n, and then "gluing" the two trees together by 
adding edges that create a cycle that alternates between the leaves of the first tree 
(selected at random) and the leaves of the second tree (selected at random). The 
two root vertices are called the "ENTRANCE" vertex, labelled with some known 
string, say, the all zeroes string 000 ... of length 2n, and "EXIT" vertex, which is 
labelled with a random string of length 2n. The remaining vertices of the graph are 
labelled with distinct random bit strings of length In. The oracle Oc n encodes the 
graph G n in the following way. For | x) where x G {0, l} 2n encodes a vertex label of 
G n , Og„ maps | x) | 00 . . . 0) to | x) \ ni(x), n 2 (x), n 3 (x)) where n^x), n 2 (x), n 3 (x) 
are the labels of the neighbours of x in any order (for the exit and entrance vertex, 
there will only be two distinct neighbours). 

"Glued-trees" problem 

Input: A black-box implementing Oc n for a graph G n of the above form. 
Problem: Output the label of the EXIT vertex. 



Quantum Algorithms for the "Glued-trees" problem 

There is a continuous time quantum walk which starts at the ENTRANCE 
vertex (in this case | 00 . . . 0) ) and evolves according to the Hamiltonian 
defined by the adjacency matrix of the graph G n for an amount of time t 
selected uniformly at random in [0, ^-]. Measuring will then yield the EXIT 
label with probability at least ^-(1 — e). 

The authors show how to efficiently simulate this continuous time quantum 
walk using a universal quantum computer that makes a polynomial number 
of calls to Og„- 



Classical Algorithms for the "Glued-trees" problem 

Any classical randomized algorithm must evaluate the black-box Oc n an 
exponential number of times in order to output the correct EXIT vertex 
label with non-negligible probability. More precisely, any classical algorithm 
that makes 2 n / 6 queries to Oc n can only find the EXIT with probability at 
most 4 ■ 2~ ra / 6 . 

Another very interesting and recent problem for which a quantum walk algo- 
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Figure 1: This is an example of a "glued-trees" graph with random labellings for 
all vertices (except the "ENTRANCE" vertex). The goal is to find the label of 
the "EXIT" vertex (in this case, it is 101010), given a black-box that outputs the 
vertex labels of the neighbours of a given vertex label. 

rithm has given the optimal algorithm is the problem of evaluating a NAND-tree 
(or AND-OR tree). The problem is nicely described by a binary tree of depth n 
whose leaves are labelled by the integers i £ {1, 2, ... , 2 n }. The input is a black- 
box Ox that encodes a binary string X = XiX 2 . . -X^, where N = 2 n . The ith 
leaf vertex is assigned value X it and the parent of any pair of vertices takes on the 
value which is the NAND of the value of its child vertices (the NAND of two input 
bits is if both inputs are 1 and 1 if either bit is 0). Thus, given the assignment of 
values to the leaves of a binary tree, one can compute the values of the remaining 
vertices in the tree, including the root vertex. The value of the NAND tree for a 
given assignment is the value of the root vertex. 
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NAND-tree evaluation 

Input: A black-box O x that encodes a binary string X = X X X 2 . . . X N e 
{0,1}^, N = 2 n . 

Problem: Output the value of the binary NAND tree whose ith leaf has 
value Xi. 



Classical Algorithms for NAND-tree evaluation 

The best known classical randomized algorithm uses O(N - 753 -) evaluations 
of the black-box, and it is also known that fi(jV - 753 -) evaluations are re- 
quired for any classical randomized algorithm. 

Until recently, no quantum algorithm worked better. 

Quantum Algorithms for NAND-tree evaluation 

Farhi, Goldstone and Gutmann [74] showed a continuous time walk that 
could solve this it time 0(y/~N) using a continuous version of the black- 
box, and it was subsequently showed that 0(iV 1//2+e ) queries to the discrete 
oracle suffice, for any real constant e > 0, and discrete walk versions of the 
algorithm and other generalizations were developed [17, 48] 

This was a very interesting breakthrough in solving a fundamental problem 
that had stumped quantum algorithms experts for a number of years. The general 
idea is inspired from techniques in particle physics and scattering theory. They 
consider a graph formed by taking a binary tree and making two additions to 
it. Firstly, for each leaf vertex where Xi — 1, add another vertex and join it to 
that leaf. Secondly, attach the root vertex to the middle of a long line graph of 
length in Q(y/~N). Then evolve the system according to the Hamiltonian equal 
to the adjacency matrix of this graph. Then one should start the system in a 
superposition of states on the left side of the line graph with phases defined so 
that if the NAND-tree were not attached, the "wave packet" would move from left 
to right along the line. If the packet gets reflected with non-negligible amplitude, 
then the NAND tree has value 1, otherwise, if the packet gets mostly transmitted, 
then the NAND tree has value 0. Thus one measures the system, and if one obtains 
a vertex to the left of the NAND-tree, one guesses "1", and if one obtains a vertex 
to the right of the NAND-tree, one guesses "0" . This algorithm outputs the correct 
answer with high probability. 

In a discrete query model, one can carefully simulate the continuous time walk 
[48] (as discussed in section 6), or one can apply the results of Szegedy [171] to 
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define a discrete-time coined walk with the same spectral properties [17] and thus 
obtain a discrete query complexity of N2 +e for any constant e > 0. 

This algorithm has also been applied solve MIN-MAX trees with a similar 
improvement [56] . The NAND-tree and related problems are related to deciding the 
winner of two-player games. Another very recent new class of quantum algorithms 
for evaluating a wider class of formulas, based on "span" programs, was developed 
in [155]. 

9 Adiabatic algorithms 

It is possible to encode the solution to a hard problem into the ground state of an 
efficiently simulatable Hamiltonian. For example, in order to try to solve 3-SAT 
for a formula on n Boolean variables, one could define a Hamiltonian 

#i= £ /*(x)|x)(x| 
xe{o,i} n 

where /$(x) is the number of clauses of $ that are violated by the assignment 
x. Then one could try to define algorithms to find such a ground state, such as 
quantum analogues of classical annealing or other heuristics (e.g. [101, 77]). 

Adiabatic algorithms (also known as adiabatic optimization algorithms) are a 
new paradigm for quantum algorithms invented by Farhi, Goldstone, Gutmann and 
Sipser [77]. The paradigm is based on the fact that, under the right conditions, 
a system that starts in the ground state of a Hamiltonian H(0), will with high 
probability remain in the ground state of the Hamiltonian H(t) of the system at a 
later time t, if the Hamiltonian of the system changes "slowly enough" from H(0) 
to H(t). This fact is called the adiabatic theorem (see e.g. [114]). 

This theorem inspires the following algorithmic paradigm: 

• Convert your problem to generating the ground state of some easy-to- 
simulate Hamiltonian Hi. 

• Initialize your quantum computer in an easy-to-prepare state | ip ) of an 
easy-to-simulate Hamiltonian H . 

• On the quantum computer, simulate a time-dependent Hamiltonian H(t) = 
(l-t/T)H + t/TH u for t going from to T. 
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An important detail is how slowly to transition from H to Hi (in other words, 
how large T should be). This related to two important parameters. Let Xo(t) be 
the smallest eigenvalue of H(t), and assume that the corresponding eigenspace is 
non-degenerate. Let \i(t) be the second smallest eigenvalue of H(t), and define 
g(t) = \i(t) — Xo(t) to be the gap between the two lowest eigenvalues. The norm of 
the Hamiltonian is also relevant. This is to be expected, since one can effectively 
speed-up time by a factor of s by just multiplying the Hamiltonian of the system 
by s. In any realistic implementation of the Hamiltonian one pays for such a 
speed-up by at least a factor of s in some resource. For example, if we simulate the 
Hamiltonian using quantum circuits (e.g. as described in section 6), the overhead 
is a factor of s 1+ °( 1 ) in the circuit depth, and thus there is no actual speed-up. 
Furthermore, the norm of the derivatives of the Hamiltonian is also relevant. 

There are a variety of theorems and claims in the literature proving, or arguing, 
that a value of T polynomial in the operator norm of dH Jf^ (or even some higher 
derivative) and in the inverse of the minimum gap (i.e. the minimum g(t), for 
< t < T), and in |, is sufficient in order to generate the final ground state with 
probability at least 1 — 5. The general folklore is that with the right assumptions 
the dependence on the minimum gap g min is f2(-j— ), and one can find examples 

^ min 

when this is the case, however more sophisticated descriptions of the dependence 
on g(t) are known (see e.g. [114]). 

For example, in order to try to solve 3-SAT for a formula on n Boolean variables, 
one could define a Hamiltonian 

H 1= /*(x)|x)(x| 
xe{o,i} n 

where /$(x) is the number of clauses of $ which are violated by the assignment x. 
Assuming there is exactly one satisfying assignment w, then | w) ( w| is the unique 
ground state of Hi. This algorithm has been studied numerically and analytically 
[76, 61, 157] and variations have been introduced as well to work around various 
lower bounds that were proved [75]. Unfortunately, it is not known what the 
worst-case complexity is for these algorithms on such NP-hard problems, since it 
has proved very hard to provide rigorous or even convincing heuristic bounds on 
the minimum gap for such problems of interest. It is widely believed that these 
algorithms will not solve an NP-hard problem in polynomial time, partly because 
it is believed that no quantum algorithm can do this. 

A slight generalization of adiabatic algorithms, called adiabatic computation 
(where the final Hamiltonian does not need to be diagonal in the computational 
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basis) was shown to be polynomially equivalent to general quantum computation 
[6]. 



10 Topological algorithms 

The standard models of quantum computation (e.g. quantum Turing machine, 
quantum acyclic circuits) are known to be equivalent in power (up to a polynomial 
factor), and the quantum Strong Church- Turing thesis states that any realistic 
model of computation can be efficiently simulated by such a quantum computer. 
If this were not the case, then one should seek to define a stronger model of com- 
putation that encapsulates the full computational power that the laws of physics 
offer. 

Freedman [82] proposed defining a computing model based on topological quan- 
tum field theories. The main objective was that such a computer might naturally 
solve an NP-hard or #P-hard topological problem, in particular, evaluating the 
Jones polynomial at certain points. A natural family of such topological quantum 
field theory computers was shown to be equivalent in power to the standard model 
of quantum computation, thus such a new model of computation would not provide 
additional computational power, but it was hoped that this new paradigm might 
inspire new quantum algorithms. In fact, it has been shown that "topological" al- 
gorithms can approximate the value of the Jones polynomial at certain points more 
efficiently than any known classical algorithm [83, 8]. The known approximations 
are not good enough to solve an NP-hard problem. Several other generalizations 
and related problems and algorithms have been found recently [131, 179, 5]. We 
will briefly sketch some of the definitions, results and techniques. 

A knot is a closed non-intersecting curve embedded in R 3 , usually represented 
via a knot diagram, which is a projection of the knot into the plane with additional 
information at each cross-over to indicate which strand goes over and which goes 
under. Two knots are considered equivalent if one can be manipulated into the 
other by an isotopy (i.e. by a transformations one could make to an actual knot 
that can be moved and stretched but not broken or passed through itself). A link 
is a collection of non-intersecting knots embedded in R 3 . They can be represented 
by similar diagrams, and there is a similar notion of equivalence. 

The Jones polynomial of a link L is a polynomial Vz,(t) that is a link invariant; 
in other words it has the property that if two links L\ and L2 are equivalent, then 
Vli(^) — Vl 2 (^)- Computing the Jones polynomial is in general ^P-hard for all 
but a finite number of values of t. In particular, it is #P-hard to evaluate the 
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Jones polynomial exactly at any primitive rth root of unity for any integer r > 5. 
However, certain approximations of these values are not known to be ^P-hard. 

The Jones polynomial is a special case of the Tutte polynomial of a planar 
graph. For a planar graph G = (V, E), with weights edge weights v = {v e \ e G E} 
the multivariate Tutte polynomial is defined as 

Z G (q;v ei ,v e2 ,...) = Y,^]!^ 

ACE e&A 

where q is another variable and k(A) is the number of connected components in the 
subgraph (V,A). The standard Tutte polynomial T G (x ) y) is obtained by setting 
v e = v for all e G E, x = 1 + q/v and y = 1 + v. Connections with physics are 
discussed, for example, in [119, 177, 169]. 

Here we briefly sketch a specific instance of such a problem, and the approach 
of [5] taken to solve this problem on a quantum computer. 

Firstly, for any planar graph G, one can efficiently find its medial graph L G , 
which is a 4-regular planar graph which can be drawn from a planar embedding of 
G as follows. Draw a new vertex with weight Ui in the middle of each edge that 
had label V{. For each new vertex, on each side of the original edge on which the 
vertex is placed, draw a new edge going in the clockwise direction joining the new 
vertex to the next new vertex encountered along the face of the original graph. Do 
the same in the counter-clockwise direction, and remove all the original edges and 
vertices. 

From this medial graph, one can define another polynomial called the Kauf- 
man bracket, denoted (L G )(d,Ui,u 2 , ■ ■ .), that satisfies (L G )(d, u±, u 2 , ■ ■ ■) = 
d~^Z G (d 2 ; dui, du 2 . . .). 

Additive approximation of the multivariate Tutte polynomial 
for a planar graph 

Input: A description of a planar graph G = (V, E). 

Complex valued weights v 1 ,v 2 ,---,v m corresponding to the edges 
ei,e 2 , . . . ,e m e E of G. 
A complex number q. 

Problem: Output an approximation of Z G (q; v±, v 2 , ■ ■ ■ , v m ). 



Quantum Algorithms for Approximating the Tutte Polynomial 

Aharonov et al. give a quantum algorithm that solves the above prob- 
lem in time polynomial in n with an additive approximate they denote by 
A a ; 9 /poly(m), which is described below. 
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The value A a i g depends on the embedding of the graph. The results are hard 
to compare to what his known about classical algorithms for this problem (see [34] 
for a discussion), but there are special cases that are BQP-hard. 

Classical Algorithms for Approximating the Tutte Polynomial 

It was shown [5] that for certain ranges of parameter choices, the approxi- 
mations given by the quantum algorithms are BQP-hard, and thus we don't 
expect a classical algorithm to be able to provide as good of an approxima- 
tion unless classical computers can efficiently simulate quantum computers. 



10.1 Sketch of the structure of the algorithm 

We only have room to give a broad overview of the algorithm. One of the main 
points is to emphasize that this algorithm looks nothing any of the other algorithms 
discussed in the previous sections. 

At a very high level, the idea is that these medial graphs Tq can be represented 
by a linear operation Qg such that La(d,Ui,U2, ■ ■ ■) = ( 1| Qg I !)• The quantum 
algorithm approximates the inner product between | 1) and Qg | 1), and therefore 
gives an approximation to the Kauffman bracket for G and thus the generalized 
Tutte polynomial for G. 

The medial graph L G will be represented as a product of basic elements % from 
a generalized Temperley-Lieb algebra. These basic elements % will be represented 
by simple linear transformations on finite dimensional Hilbert spaces, which can be 
implemented on a quantum computer. Below we briefly sketch this decomposition 
and correspondence. 

One can easily draw the medial graph Lg in the plane so that one can slice it 
with horizontal lines so that in between each consecutive horizontal line there is a 
diagram with only one of the following: a crossing of two lines, a "cap" or a "cup" . 
One can think of the gluing together of these adjacent diagrams % to form the 
graph Lq as a product operation. We will sketch how to map each % to a linear 
operation p{%) acting on a finite dimensional Hilbert space. 

The state space that the operation p{T{) will act on is the set of finite walks 
starting at vertex 1 on the infinite graph G with vertices labelled by the non- 
negative integers and edges {i, i + 1} for all % > 0. For example, the walk 1 — 2 — 
3 — 2 — 3 is a walk of length 4 from 1 to 3. The linear transformation p{%) maps a 
walk w\ to a linear combination of walks that are "compatible" with % (we won't 
explain here the details of defining this linear transformation). 

In order to apply this technique to a diagram with a crossing, one eliminates 
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the crossing by replacing it with two non-intersecting lines. This replacement can 
be done in two different ways, and one can represent the diagram with a crossing as 
a formal linear combination of these two diagrams one gets by replacing a crossing 
at a vertex (say with label u) with two non-intersecting lines, where one of the two 
links gets the coefficient u (by a simple rule that we don't have room to explain). 
We can then apply the construction to each of these new diagrams, and combine 
them linearly to get the linear transformation corresponding to the diagram with 
the crossing. 

These linear transformations are not necessarily unitary (they were unitary in 
the earlier work on the Jones polynomial, and other related work, construct unitary 
representations), however the authors show how one can use ancilla qubits and 
unitaries to implement non-unitary transformations and approximate the desired 
inner product using the "Hadamard test" (see Section 11). 

11 Quantum algorithms for quantum tasks 

At present, when we think of quantum algorithms, we usually think of starting 
with a classical input, running some quantum algorithm, or series of quantum 
algorithms, with some classical post-processing in order to get a classical output. 
There might be some quantum sub-routines that have been analyzed, but the main 
goal in mind is to solve a classical problem. 

For example, quantum error correction (see [123] for a recent survey) can be 
thought of as an algorithm having a quantum input and a quantum output. There 
are many algorithms for transferring a qubit of information through a network 
of qubits under some physical constraints. We might develop a quantum crypto- 
graphic infrastructure where objects like money and signatures [89] are quantum 
states that need to be maintained and manipulated as quantum states for long 
periods of time. 

Several of the algorithms described in the previous sections have versions which 
have a quantum input or a quantum output or both. For example, the amplitude 
amplification algorithm can be rephrased in terms of finding a quantum state | 0) 
given a black-box U$ that recognized | 0) by mapping | <p) i— > — | 0) and acting as 
the identity on all states orthogonal to |0). The end result of such a quantum 
search is the quantum state | 0). Amplitude estimation is estimating a transition 
probability of a unitary operator. 

The topological algorithms require as a basic subroutine a quantum algorithm 
for approximating the inner product of | 0) and U | 00 . . . 0), which the authors call 
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the "Hadamard test". The algorithm consists of using a controlled-?/ operation 
to create the state ^= | 0) | 00 . . . 0) + ^ | 1) U | 00 . . . 0). Note that if we apply the 
Hadamard gate to the first qubit, we get 



l + Re(00...0\U 00... 0) . ft . . , , I - Re ( 00 . . . 01 U 00... 0) . , , 

o I °) I W + \ 7: I 1) I 



for normalized states \ and \ We can thus estimate the real part of the 
( 00 ... 0| U | 00 ... 0) by repeating several times, or applying the quadratically more 
efficient amplitude estimation algorithm algorithm described earlier (the goal is a 
superpolynomial speed-up, so a quadratic improvement is not substantial in this 
case). We can also estimate the complex part similarly. 

Another example is the coset orbit problem [84] mentioned in section 7. The 
input to this problem consists of two quantum states | O ) an d | 4>i) from a set Y 
of mutually orthogonal states and black-boxes for implementing the action of a 
group G on the set V . For a state | 0), let | u • 0) denote the state resulting from 
the action of u E G on | 0), and let G^) denote the subgroup of G that stabilizes 
the state | 0) (i.e. the set of u E G such that | u ■ 0) = \ 4>)). The question is 
whether there exists a u E G such that | u ■ X ) = | O ). If the answer is "yes", 
then the set of u satisfying | u ■ 0i) = | O ) is a left coset of G\^). Thus, the 
algorithm should output a coset representative u along with O(logn) generators 
of G\ ( j >1 ). The solution to this problem was an important part of the solution 
to the hidden translation problem. Several other quantum algorithms have such 
"quantum" sub-routines. 

Other examples of quantum tasks include quantum data compression which 
was known to be information theoretically possible, and efficient quantum circuits 
for performing it were also developed [27]. Another example is entanglement con- 
centration and distillation. 

Researchers have also developed quantum algorithms for implement some natu- 
ral basis changes, which have quantum inputs and quantum outputs. For example, 
the Clebsch-Gordan transformation [20] or other transformations (e.g. [103, 71]). 

We've only listed a few examples here. In the future, as quantum technolo- 
gies, in particular quantum computers and reliable quantum memories, develop, 
quantum states and their manipulation will become an end in themselves. 
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12 Future directions 



Roughly 10 years ago, many people said that there were essentially only two quan- 
tum algorithms. One serious omission was the simulation of quantum mechanical 
systems, which was in fact Feynman's initial motivation for quantum computers. 
Apart from this omission, it was true that researchers were developing a better and 
deeper understanding of the algorithms of Shor and Grover, analyzing them in dif- 
ferent ways, generalizing them, and applying them in non-trivial ways. It would 
have been feasible to write a reasonably sized survey of all the known quantum 
algorithms with substantial details included. In addition to this important and 
non-trivial work, researchers were looking hard for "new" approaches, and fresh 
ideas like quantum walks, and topological algorithms, were being investigated, as 
well as continued work on the non-Abelian version of the hidden subgroup problem. 
The whole endeavour of finding new quantum algorithms was very hard and often 
frustrating. Fortunately, in the last 10 years, there have been many non-trivial de- 
velopments, enough to make the writing of a full survey of quantum algorithms in 
a reasonable number of pages impossible. Some directions in which future progress 
might be made are listed below. 

• The complexity of the non-Abelian hidden subgroup problem will hopefully 
be better understood. This includes addressing the question: Does there exist 
a quantum polynomial time algorithm for solving the graph isomorphism 
problem? Of course, a proof that no such quantum algorithm exists would 
imply that P ^ PSPACE. So, more likely, we might develop a strong 
confidence that no such algorithm exists, in which case this can form the 
basis of quantum computationally secure cryptography [140]. 

• There are many examples where amplitude amplification was used to speed- 
up a classical algorithm in a non-trivial way. That is, in a way that was more 
than just treating a classical algorithm as a guessing algorithm A and apply- 
ing amplitude amplification to it. There are likely countless other algorithms 
which can be improved in non-trivial ways using amplitude amplification. 

• The quantum walk paradigm for quantum algorithms emerged roughly 10 
years ago, and has recently been applied to find the optimal black-box al- 
gorithm for several problems, and has become a standard approach for de- 
veloping quantum algorithms. Some of these black-box problems are fairly 
natural, and the black-boxes can be substituted with circuits for actual func- 
tions of interest. For example, collision finding can be applied to find colli- 
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sions in actual hash functions used in cryptography. We will hopefully see 
more instances where black-box algorithm can be applied to solve an problem 
without a black-box, or where there is no black-box in the first place. 

In addition to the development of new quantum walk algorithms, we will 
hopefully have a more elegant and unified general theory of quantum walks 
that unites continuous and discrete walks, coined and non-coined walks, and 
quantum and classical walks. 

The adiabatic algorithm paradigm has not reached the level of success of 
quantum walks, partly because it is hard to analyze the worst case complexity 
of the algorithms. To date there is no adiabatic algorithm with a proof that it 
works more than quadratically faster than the best known classical algorithm. 
Can we do better with an adiabatic algorithm? 

If and when we have large-scale quantum computers, we will be able to just 
test these algorithms to see if indeed they do have the conjectured running 
times on instances of interesting size. 

The topological algorithms have received limited attention to date. This is 
partly because the initial work in this field was largely inaccessible to re- 
searchers without substantial familiarity with topological quantum field the- 
ory and related areas of mathematics. The more recent work summarized in 
this paper and other recent papers is a sign that this approach could mature 
into a fruitful paradigm for developing new important quantum algorithms. 

The paradigm of measurement based computation (see e.g. [117] for an 
introduction) has been to date mostly focussed on its utility as a paradigm 
for possibly implementing a scalable fault-tolerant quantum computer. We 
might see the development of algorithms directly in this paradigm. Similarly 
for globally controlled architectures. 

There is also a growing group of researchers looking at the computational 
complexity of various computational problems in physics, in particular of 
simulating certain Hamiltonian systems, often coming from condensed matter 
physics. Much of the work has been complexity theoretic, such as proving 
the QMA-h&rdness of computing ground states of certain Hamiltonians (e.g. 
[7]). Other work has focussed on understanding which quantum systems 
can be simulated efficiently on a classical computer. This work should lead 
to the definition of some simulation problems that are not known to be 
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in BPP, nor believed to be iVP-hard or QMA-h&rd, and thus might be 
good candidates for a quantum algorithm. There has been a language and 
culture barrier between physicists and theoretical computer scientists when 
it comes to discussing such problems. However, it is slowly breaking down, as 
more physicists are becoming familiar with algorithms and complexity, and 
more quantum computer scientists are becoming familiar with language and 
notions from physics. This will hopefully lead to more quantum algorithms 
for computational problems in physics, and new algorithmic primitives that 
can be applied to a wider range of problems. 

In summary, as daunting as it is to write a survey of quantum algorithms at this 
time, it will be a much harder task in another 10 years. Furthermore, in another 10 
years we will hopefully have a better idea of when we might expect to see quantum 
computers large enough to solve problems faster than the best available classical 
computers. 
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